Check: IIST-SV-000144
Microsoft IIS 10.0 Server STIG:
IIST-SV-000144
(in versions v2 r10 through v1 r1)
Title
IIS 10.0 web server system files must conform to minimum file permission requirements. (Cat II impact)
Discussion
This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account running the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.
Check Content
Open Explorer and navigate to the inetpub directory. Right-click "inetpub" and select "Properties". Click the "Security" tab. Verify the permissions for the following users; if the permissions are less restrictive, this is a finding. System: Full control Administrators: Full control TrustedInstaller: Full control ALL APPLICATION PACKAGES (built-in security group): Read and execute ALL RESTRICTED APPLICATION PACKAGES (built-in security group): Read and execute Users: Read and execute, list folder contents CREATOR OWNER: Full Control, Subfolders and files only
Fix Text
Open Explorer and navigate to the inetpub directory. Right-click "inetpub" and select "Properties". Click the "Security" tab. Set the following permissions: SYSTEM: Full control Administrators: Full control TrustedInstaller: Full control ALL APPLICATION PACKAGES (built-in security group): Read and execute Users: Read and execute, list folder contents CREATOR OWNER: special permissions to subkeys
Additional Identifiers
Rule ID: SV-218814r879717_rule
Vulnerability ID: V-218814
Group Title: SRG-APP-000340-WSR-000029
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
Controls
Number | Title |
---|---|
AC-6 (10) |
Prohibit Non-Privileged Users From Executing Privileged Functions |