Web server/site administration must be performed over a secure path.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2249	WG230 IIS7	SV-32329r2_rule	EBRU-1	High

Description
Logging into a web server via a telnet session or using HTTP or FTP to perform updates and maintenance carries risk because user IDs and passwords are passed in the plain text. A secure shell service or HTTPS should be used for these purposes. Another alternative is to administer the web server/site from the local console.

STIG	Date
IIS 7.0 WEB SITE STIG	2015-06-01

Details

Check Text ( C-32735r1_chk )
1. Right-click the Computer icon, select Properties. 2. Click Remote Settings. 3. If Allow connections only from computers running remote desktop with Network Level Authentication is not selected, this is a finding.

Fix Text (F-29062r1_fix)
1. Develop documentation listing those individuals who are authorized to perform remote administration. 2. Right-click the Computer icon, select Properties 3. Click Remote Settings 4. Select Allow connections only from computers running remote desktop with Network Level Authentication. 5. Click Select Users and add the users to the list the SA has documented as authorized to access the system remotely.

Fix Text (F-29062r1_fix)

1. Develop documentation listing those individuals who are authorized to perform remote administration.
2. Right-click the Computer icon, select Properties
3. Click Remote Settings
4. Select Allow connections only from computers running remote desktop with Network Level Authentication.
5. Click Select Users and add the users to the list the SA has documented as authorized to access the system remotely.