Title

Web server system files must conform to minimum file permission requirements. (Cat II impact)

Discussion

This check verifies the key web server system configuration files are owned by the SA or Web Manager controlled account. These same files which control the configuration of the web server, and thus its behavior, must also be accessible by the account which runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

Check Content

IIS: The default server root is %system%\system32\inetsrv. The anonymous web user is IUSR_computername and IWAM_computername, which are created by default when IIS is installed. This account should be part of a group named Guests or WebUsers (IIS Lockdown creates the Web Applications and Web Anonymous Users Groups) and have read and execute permissions only to web content directories. Other permissions are as follows: \inetpub Administrators (Full Control) System (Full Control) Authenticated Users (Read) \inetpub\AdminScripts Administrators (Full Control) System (Full Control) \inetpub\ftproot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\ftproot\ftpfiles Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Read) Web Applications (Read) IIS_WPG (Read) IIS Permissions: Read and None FTP Uploads (if required) \inetpub\ftproot\dropbox Administrators (Full Control) WebAdmins or FTPAdmins (Read,Write,Delete) SpecifiedUsers (Write) IIS Permissions: Write and None \inetpub\mailroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwwroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwroot\docs Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\images Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\scripts Administrators (Full Control) System (Full Control) WebAdmins(Modify) IIS_WPG (Traverse Folder/Execute) Web Anonymous Users (Traverse Folder/Execute) Web Applications (Traverse Folder/Execute) IIS Permissions: Script NOTE: There may additional application specific content directories associated with this web server and they should follow the same guidance as the wwwroot and associated sub-directories for permissions. \WINNT\system32\inetsrv Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\data Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\ASP Compiled Templates Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\History Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmin Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmpwd Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\inetmgr.exe Administrators (Full Control) System (Full Control) Web Admins (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\MetaBack Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\urlscan Administrators (Full Control) System (Full Control) LocalService (Read / Execute) NetworkService (Read/Execute) FILE SPECIFIC PERMISSIONS \WINNT\system32\inetsrv\*.exe \WINNT\system32\inetsrv\*.bat \WINNT\system32\inetsrv\oblt-log.log \WINNT\system32\inetsrv\oblt-rep.log \WINNT\system32\inetsrv\oblt-undo.log \WINNT\system32\inetsrv\oblt-undone.log Administrators (Full Control) System (Full Control) Users (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\metabase.bin \WINNT\system32\inetsrv\metabase.xml \WINNT\system32\inetsrv\MBSchema.xml \WINNT\system32\inetsrv\ MBSchema.bin.00000000h Administrators (Full Control) System (Full Control) If the file permissions do not meet the minimum file permissions listed above, this is a finding. More restrictive file permissions would not be a finding. NOTE: If there is a "Windows\SysWOW64\Inetsrv" present on the system, this check applies to that directory as well. NOTE: To check the file permissions, you will need to navigate the directories or files using a tools such as Windows Explorer, right click on the directory or file that you are reviewing, select properties, then the security tab. The permissions will then be displayed for your review. To check the IIS Permissions, you will need to use the Internet Services Manager, navigate to the web site you are reviewing, select properties, select the Home Directory tab. From here you can review the assigned IIS

Fix Text

Set file permissions on the web server systems files to meet minimum file permissions requirements.

Additional Identifiers

Rule ID: SV-31321r1_rule

Vulnerability ID: V-2259

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.