Title

Anonymous access accounts must be restricted. (Cat I impact)

Discussion

Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.

Check Content

The reviewer should review the privileges assigned to the "IUSR_Account". Any group the IUSR_Account is assigned to must not provide authenticated access to the external users. The use of another group created for anonymous access is the acceptable solution for group assignment. 1. Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users. 2. Double click the IUSR_Account > Select “Member of:” tab. If the IUSR_Account is assigned to any group other than a local anonymous group, this is a finding. NOTE: Any associations with the authenticated users group or everyone group would not make this a finding. NOTE: The group created for the anonymous account needs to be restricted to the web directories, and not have access to the entire system.

Fix Text

Remove the anonymous access account from all privileged accounts and all privileged groups.

Additional Identifiers

Rule ID: SV-29351r1_rule

Vulnerability ID: V-6537

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.