UCF STIG Viewer Logo

Anonymous IIS 8.5 website access accounts must be restricted.


Finding ID Version Rule ID IA Controls Severity
V-214461 IISW-SI-000221 SV-214461r879631_rule High
Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.
Microsoft IIS 8.5 Site Security Technical Implementation Guide 2022-12-09


Check Text ( C-15670r505312_chk )
Check the account used for anonymous access to the website.

Follow the procedures below for each site hosted on the IIS 8.5 web server:
Open the IIS 8.5 Manager.

Double-click "Authentication" in the IIS section of the website’s Home Pane.

If Anonymous access is disabled, this is Not a Finding.

If Anonymous access is enabled, click “Anonymous Authentication”.

Click “Edit” in the "Actions" pane.

If the “Specific user” radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note: account name.

Check privileged groups that may allow the anonymous account inappropriate membership:
Open “Server Manager” on the machine.

Expand Configuration.

Expand Local Users and Groups.

Click “Groups”.

Review members of any of the following privileged groups:

Backup Operators
Certificate Services (of any designation)
Distributed COM Users
Event Log Readers
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Power Users
Print Operators
Remote Desktop Users

Double-click each group and review its members.

If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding.
Fix Text (F-15668r505313_fix)
Remove the Anonymous access account from all privileged accounts and all privileged groups.