UCF STIG Viewer Logo

Users other than Auditors group must not have greater than read access to log files.


Finding ID Version Rule ID IA Controls Severity
V-2252 WG250 IIS6 SV-30017r1_rule ECTP-1 Medium
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.
IIS6 Site 2015-06-01


Check Text ( C-29939r1_chk )
1. Open the IIS Manager > Expand the Web Sites directory > Right click on the site being reviewed and select properties.
2. Select the Web Site tab > Click on the properties button beside the log format dropdown.
3. Note the log file path under Log file directory.
4. Navigate to this location.
5. Right click on the directories and files in this location > Select properties > Select the Security tab.
6. Ensure only the System, Administrators, and Auditors group have greater than Read permission.

If any users or groups, other than System, Administrators, or Auditors, have greater than read permission to the log directories and files, this is a finding.

NOTE: The Auditor group does not have to have the name Auditors, but the site will need to identify the group containing the auditors.
Fix Text (F-32675r1_fix)
Ensure only the System, Administrators, and Auditors group has greater than read permission to the log files.