Title

Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled. (Cat II impact)

Discussion

Internet Information Services (IIS) on Windows Server 2012 provides basic logging capabilities. However, because IIS takes some time to flush logs to disk, administrators do not have access to logging information in real-time. In addition, text-based log files can be difficult and time-consuming to process. In IIS 8.5, the administrator has the option of sending logging information to Event Tracing for Windows (ETW). This option gives the administrator the ability to use standard query tools, or create custom tools, for viewing real-time logging information in ETW. This provides a significant advantage over parsing text-based log files that are not updated in real time. Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166

Check Content

Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, verify the "Both log file and ETW event" radio button is selected. If the "Both log file and ETW event" radio button is not selected, this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, select the "Both log file and ETW event" radio button. Select "Apply" from the "Actions" pane.

Additional Identifiers

Rule ID: SV-214449r879562_rule

Vulnerability ID: V-214449

Group Title: SRG-APP-000092-WSR-000055

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.