IIS 8.5 web server system files must conform to minimum file permission requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-76745	IISW-SV-000144	SV-91441r1_rule		Medium

Description
This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account running the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

Description

This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account running the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

STIG	Date
IIS 8.5 Server Security Technical Implementation Guide	2019-10-01

Details

Check Text ( C-76401r1_chk )
Open Explorer and navigate to the inetpub directory. Right-click inetpub and select “Properties”. Click the "Security" tab. Verify the permissions for the following users; if the permissions are less restrictive, this is a finding. System: Full control Administrators: Full control TrustedInstaller: Full control ALL APPLICATION PACKAGES (built-in security group): Read and execute Users: Read and execute, list folder contents Creator/Owner: Special permissions to subkeys

Check Text ( C-76401r1_chk )

Open Explorer and navigate to the inetpub directory.

Right-click inetpub and select “Properties”.

Click the "Security" tab.

Verify the permissions for the following users; if the permissions are less restrictive, this is a finding.

System: Full control
Administrators: Full control
TrustedInstaller: Full control
ALL APPLICATION PACKAGES (built-in security group): Read and execute
Users: Read and execute, list folder contents
Creator/Owner: Special permissions to subkeys

Fix Text (F-83441r1_fix)
Open Explorer and navigate to the inetpub directory. Right-click inetpub and select “Properties”. Click the "Security" tab. Set the following permissions: SYSTEM: Full control Administrators: Full control TrustedInstaller: Full control ALL APPLICATION PACKAGES (built-in security group): Read and execute Users: Read and execute, list folder contents Creator/Owner: special permissions to subkeys

Fix Text (F-83441r1_fix)

Open Explorer and navigate to the inetpub directory.

Right-click inetpub and select “Properties”.

Click the "Security" tab.

Set the following permissions:

SYSTEM: Full control
Administrators: Full control
TrustedInstaller: Full control
ALL APPLICATION PACKAGES (built-in security group): Read and execute
Users: Read and execute, list folder contents
Creator/Owner: special permissions to subkeys