An error occurred:

Check: IIST-SI-000221

Microsoft IIS 10.0 Site STIG: IIST-SI-000221 (in version v2 r9)

Title

Anonymous IIS 10.0 website access accounts must be restricted. (Cat I impact)

Discussion

Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data stored on the web server must be evaluated and a determination made concerning authorized access to information and programs on the server. Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.

Check Content

Check the account used for anonymous access to the website. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click "Authentication" in the IIS section of the website’s Home Pane. If "Anonymous access" is disabled, this is Not a Finding. If "Anonymous access" is enabled, click "Anonymous Authentication". Click "Edit" in the "Actions" pane. If the "Specific user" radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note the account name. If nothing is tied to "Specific User", this is Not a Finding. Check privileged groups that may allow the anonymous account inappropriate membership: Open "Computer Management" on the machine. Expand "Local Users and Groups". Open "Groups". Review the members of any of the following privileged groups: Administrators Backup Operators Certificate Services (of any designation) Distributed COM Users Event Log Readers Network Configuration Operators Performance Log Users Performance Monitor Users Power Users Print Operators Remote Desktop Users Replicator Double-click each group and review its members. If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding.

Fix Text

Remove the Anonymous access account from all privileged accounts and all privileged groups.

Additional Identifiers

Rule ID: SV-218750r928848_rule

Vulnerability ID: V-218750

Group Title: SRG-APP-000211-WSR-000031

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001082

The information system separates user functionality (including user interface services) from information system management functionality.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-2

Application Partitioning