Check: WG250 IIS6
IIS6 Site:
WG250 IIS6
(in version v6 r16)
Title
Users other than Auditors group must not have greater than read access to log files. (Cat II impact)
Discussion
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.
Check Content
1. Open the IIS Manager > Expand the Web Sites directory > Right click on the site being reviewed and select properties. 2. Select the Web Site tab > Click on the properties button beside the log format dropdown. 3. Note the log file path under Log file directory. 4. Navigate to this location. 5. Right click on the directories and files in this location > Select properties > Select the Security tab. 6. Ensure only the System, Administrators, and Auditors group have greater than Read permission. If any users or groups, other than System, Administrators, or Auditors, have greater than read permission to the log directories and files, this is a finding. NOTE: The Auditor group does not have to have the name Auditors, but the site will need to identify the group containing the auditors.
Fix Text
Ensure only the System, Administrators, and Auditors group has greater than read permission to the log files.
Additional Identifiers
Rule ID: SV-30017r1_rule
Vulnerability ID: V-2252
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |