Title

Access to web administration tools must be restricted to the Web Manager and the Web Manager’s designees. (Cat II impact)

Discussion

The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators.

Check Content

1. Open the Microsoft Management Console (MMC). 2. Expand the applicable policy > Windows Settings > Security Settings > Local Policies 3. Click on User Rights Assignment. 4. Double click Allow log on locally. 5. The Allow log on locally must be limited to accounts owned by the SA, Web Manager, or Web Manager designees. 6. Navigate to %systemroot%\system32\inetsrv\. 7. Right click inetmgr.exe and select properties. 8. Select the security tab. 9. The Internet Services Manager (i.e. inetmgr.exe) must be limited to accounts owned by the SA, Web Manager, or Web Manager’s designees. If accounts other than the System, SA, Web Manager, or Web Manager designees have access to the web administration tool or equivalent, this is a finding.

Fix Text

Restrict access to the web administration tool to only the Web Manager and the Web Manager’s designees.

Additional Identifiers

Rule ID: SV-38326r2_rule

Vulnerability ID: V-2248

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.