Check: IIST-SI-000206
Microsoft IIS 10.0 Site STIG:
IIST-SI-000206
(in versions v2 r9 through v1 r1)
Title
Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled. (Cat II impact)
Discussion
Internet Information Services (IIS) on Windows Server 2012 provides basic logging capabilities. However, because IIS takes some time to flush logs to disk, administrators do not have access to logging information in real-time. In addition, text-based log files can be difficult and time-consuming to process. In IIS 10.0, the administrator has the option of sending logging information to Event Tracing for Windows (ETW). This option gives the administrator the ability to use standard query tools, or create custom tools, for viewing real-time logging information in ETW. This provides a significant advantage over parsing text-based log files that are not updated in real time. Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166
Check Content
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, verify the "Both log file and ETW event" radio button is selected. If the "Both log file and ETW event" radio button is not selected, this is a finding. Note: "Microsoft-IIS-Logging/logs" must be enabled prior to configuring this setting. More configuration information is available at: https://blogs.intelink.gov/blogs/_disairrt/?p=1317
Fix Text
Note: "Microsoft-IIS-Logging/logs" must be enabled prior to configuring this setting. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, select the "Both log file and ETW event" radio button. Select "Apply" from the "Actions" pane.
Additional Identifiers
Rule ID: SV-218739r879562_rule
Vulnerability ID: V-218739
Group Title: SRG-APP-000092-WSR-000055
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000139 |
The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure. |
CCI-001464 |
The information system initiates session audits at system start-up. |