The web client account access to the content and scripts directories must be limited to read and execute.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2258	WG290 IIS6	SV-30020r1_rule	ECLP-1	High

Description
Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.

STIG	Date
IIS6 Site	2015-06-01

Details

Check Text ( C-29955r1_chk )
1. Determine the web client account (anonymous account) for the web server. 2. Note the group memberships of this account found under the Member Of tab. 3. Open the IIS Manager > Right click on the web site for review > Select properties > Select the Home Directory tab. 4. Note the Local path entry, this will be used later. 5. Ensure the Script source access, Write, and Directory browsing check boxes are unchecked. 6. Repeat step 2 for all sub directories (including virtual directories) and files of the web site being reviewed (Directory and File tabs, respectively). 7. Note the Local path entry for the virtual directories. 8. Navigate to the local paths found in steps 4 & 7 via Windows Explorer, or equivalent, and verify the permissions assigned to the anonymous account (normally IUSR_computername). If the any of the web sites, their sub-directories (including virtual directories), or files has Script source access, Write, or Directory browsing enabled, this is a finding. If the anonymous account is assigned greater than read & execute permissions to any of the local paths (including their content), this is a finding. NOTE: If the Microsoft ‘everyone’ account has access to these directories, this is a finding.

Check Text ( C-29955r1_chk )

1. Determine the web client account (anonymous account) for the web server.
2. Note the group memberships of this account found under the Member Of tab.
3. Open the IIS Manager > Right click on the web site for review > Select properties > Select the Home Directory tab.
4. Note the Local path entry, this will be used later.
5. Ensure the Script source access, Write, and Directory browsing check boxes are unchecked.
6. Repeat step 2 for all sub directories (including virtual directories) and files of the web site being reviewed (Directory and File tabs, respectively).
7. Note the Local path entry for the virtual directories.
8. Navigate to the local paths found in steps 4 & 7 via Windows Explorer, or equivalent, and verify the permissions assigned to the anonymous account (normally IUSR_computername).

If the any of the web sites, their sub-directories (including virtual directories), or files has Script source access, Write, or Directory browsing enabled, this is a finding.

If the anonymous account is assigned greater than read & execute permissions to any of the local paths (including their content), this is a finding.

NOTE: If the Microsoft ‘everyone’ account has access to these directories, this is a finding.

Fix Text (F-32683r1_fix)
Disable Script source access, Write, and Directory browsing permissions on the web site, its sub-directories (including virtual directories), and files. Limit the anonymous account permissions to read & execute or less for the local paths (including their content).