IIS6 Server

The reviewer should make a note of the name of the account being used for the web service. NOTE: There may also be other server services running related to the web server in support of a particular web application, these passwords must be entrusted to the SA or Web Manager as well. Query the SA or Web Manager to determine if they have the web service password(s). If the web services password(s) are not entrusted to the SA or Web Manager, this is a finding. NOTE: For IIS installations that use the LocalSystem account, the password is OS generated. In this case, the SA or Web Manager having an Admin account on the system would meet the intent of this check.

The reviewer should make a note of the name of the account being used for the web service. NOTE: There may also be other server services running related to the web server in support of a particular web application, these passwords must be entrusted to the SA or Web Manager as well. Query the SA or Web Manager to determine if they have the web service password(s). If the web services password(s) are not entrusted to the SA or Web Manager, this is a finding. NOTE: For IIS installations that use the LocalSystem account, the password is OS generated. In this case, the SA or Web Manager having an Admin account on the system would meet the intent of this check.

1. From a command prompt, type "net share" and press Enter to provide a list of available shares (including printers). 2. To display the permissions assigned to the shares type "net share" followed by the share name found in the previous step. If any private assets are assigned permissions to the share, this is a finding. If any printers are shared, this is a finding.

1. From a command prompt, type "net share" and press Enter to provide a list of available shares (including printers). 2. To display the permissions assigned to the shares type "net share" followed by the share name found in the previous step. If any private assets are assigned permissions to the share, this is a finding. If any printers are shared, this is a finding.

1. Go to Start > Administrative Tools > Services. 2. Right click on service name World Wide Web Publishing Service > Select Properties > Select Log On tab. 3. The username next to “This account” is the web service account ID. 4. Open a command prompt and enter “Net User [service account ID]” > Press Enter 5. Verify the values for Password last set and Password expires to ensure the password has been changed in the past year, and will be required to change within the coming year. If the service account ID is not configured according to the guidelines in step 5, this is a finding. NOTE: For IIS installations that are running as localsystem, the password is changed automatically by the OS every 7 days, so this should be marked as N/A.

1. Go to Start > Administrative Tools > Services. 2. Right click on service name World Wide Web Publishing Service > Select Properties > Select Log On tab. 3. The username next to “This account” is the web service account ID. 4. Open a command prompt and enter “Net User [service account ID]” > Press Enter 5. Verify the values for Password last set and Password expires to ensure the password has been changed in the past year, and will be required to change within the coming year. If the service account ID is not configured according to the guidelines in step 5, this is a finding. NOTE: For IIS installations that are running as localsystem, the password is changed automatically by the OS every 7 days, so this should be marked as N/A.

Using Windows Explorer, search the system for the existence of known compilers such as msc.exe, msvc.exe, Python.exe, javac.exe, Lcc-win32.exe, or equivalent. If a compiler is found on the production server, this is a finding. NOTE: This check does not prohibit the use of the .Net Framework. This does not prohibit the use of the java compiler for Oracle. NOTE: ColdFusion would not be considered a compiler as long as the site is not using the tools for development work.

Using Windows Explorer, search the system for the existence of known compilers such as msc.exe, msvc.exe, Python.exe, javac.exe, Lcc-win32.exe, or equivalent. If a compiler is found on the production server, this is a finding. NOTE: This check does not prohibit the use of the .Net Framework. This does not prohibit the use of the java compiler for Oracle. NOTE: ColdFusion would not be considered a compiler as long as the site is not using the tools for development work.

Interview the SA or web administrator to see where the public web server is logically located in the data center. Review the site’s network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site’s network diagram. An improperly located public web server is a potential threat to the entire network. If the web server is not isolated in an accredited DoD DMZ Extension, this is a finding.

Determine where the public web server is logically located on the sites LAN. Visually check the web server hardware connections to see if it conforms to the site’s network diagram. If the web server is not isolated in accordance with the DoD Enclave and Internet-NIPRNet DMZ STIGs, this is a finding. NOTE: If there is a Network Reviewer available, they should be able to provide much of the information needed to validate this check.

Perform a check of the site’s network diagram and a visual check of the web server. The private web server must be located on a separate controlled access subnet and not part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population LAN. If the web server is not located inside the premise router, switch, or firewall, and is not isolated via a controlled access mechanism from the general population LAN, this is a finding. NOTE: If there is a Network Reviewer available, they should be able to provide much of the information needed to validate this check.

Perform a check of the site’s network diagram and a visual check of the web server. The private web server must be located on a separate controlled access subnet and not part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population LAN. If the web server is not located inside the premise router, switch, or firewall, and is not isolated via a controlled access mechanism from the general population LAN, this is a finding. NOTE: If there is a Network Reviewer available, they should be able to provide much of the information needed to validate this check.

Microsoft IIS 6 mainstream support ended 13 July 2010, and extended support ended 14 July 2015. If Microsoft IIS 6 is installed on a system, this is a finding.

1. Using Explorer, find the inetinfo.exe file or move to the file %systemroot%\system32\inetsrv\inetinfo.exe. 2. Right-click on inetinfo.exe and select properties. 3. Select the version tab. The file version field should be 6.0.xx. 4. If the current version of the web server software is not installed and running, this is a finding.

Search all of the system’s hard drives for the command.com and cmd.exe files. The allowed permissions on these files are: System Full Control Administrators Full Control Examine account access and any group membership access to these files. If any non-administrator account, group membership, or service ID has any access to any command.com or cmd.exe files and the access is documented as mission critical, this is not a finding. Examine access to operating system configuration files, scripts, utilities, privileges, and functions. If any non-administrator account, group membership, or service ID has any access to any of these operating system components and the access is documented as mission critical, this is not a finding. If any non-administrator account, group membership, or service ID has undocumented access to any listed file or operating system component, this is a finding. NOTE: Examine the list of user accounts and determine the group affiliations for the user account in question. Verify with the SA, Web Manager or ISSO that the non-administrator accounts are mission essential. If they are mission essential, and this is documented locally, this would not be a finding. NOTE: CREATOR OWNER would not be a finding if the CREATOR OWNER is an administrative account. If it is not, this is a finding.

Search all of the system’s hard drives for the command.com and cmd.exe files. The allowed permissions on these files are: System Full Control Administrators Full Control Examine account access and any group membership access to these files. If any non-administrator account, group membership, or service ID has any access to any command.com or cmd.exe files and the access is documented as mission critical, this is not a finding. Examine access to operating system configuration files, scripts, utilities, privileges, and functions. If any non-administrator account, group membership, or service ID has any access to any of these operating system components and the access is documented as mission critical, this is not a finding. If any non-administrator account, group membership, or service ID has undocumented access to any listed file or operating system component, this is a finding. NOTE: Examine the list of user accounts and determine the group affiliations for the user account in question. Verify with the SA, Web Manager or IAO that the non-administrator accounts are mission essential. If they are mission essential, and this is documented locally, this would not be a finding. NOTE: CREATOR OWNER would not be a finding if the CREATOR OWNER is an administrative account. If it is not, this is a finding.

1. Open the Microsoft Management Console (MMC). 2. Expand the applicable policy > Windows Settings > Security Settings > Local Policies 3. Click on User Rights Assignment. 4. Double click Allow log on locally. 5. The Allow log on locally must be limited to accounts owned by the SA, Web Manager, or Web Manager designees. 6. Navigate to %systemroot%\system32\inetsrv\. 7. Right click inetmgr.exe and select properties. 8. Select the security tab. 9. The Internet Services Manager (i.e. inetmgr.exe) must be limited to accounts owned by the SA, Web Manager, or Web Manager’s designees. If accounts other than the System, SA, Web Manager, or Web Manager designees have access to the web administration tool or equivalent, this is a finding.

1. Open the Microsoft Management Console (MMC). 2. Expand the applicable policy > Windows Settings > Security Settings > Local Policies 3. Click on User Rights Assignment. 4. Double click Allow log on locally. 5. The Allow log on locally must be limited to accounts owned by the SA, Web Manager, or Web Manager designees. 6. Navigate to %systemroot%\system32\inetsrv\. 7. Right click inetmgr.exe and select properties. 8. Select the security tab. 9. The Internet Services Manager (i.e. inetmgr.exe) must be limited to accounts owned by the SA, Web Manager, or Web Manager’s designees. If accounts other than the System, SA, Web Manager, or Web Manager designees have access to the web administration tool or equivalent, this is a finding.

Query the Information Systems Security Officer (ISSO), SA, Web Manager, Webmaster, and/or developers to determine if the web server is configured with unnecessary software. Query the SA to determine if processes other than those supporting the web server are loaded and/or run on the web server. Examples of software that should not be on the web server are all web development tools, office suites, (unless the web server is a private web development server) compilers, and utilities that are not part of the web server suite or the basic operating system. 1. Check the directory structure of the server and ensure additional, unintended or unneeded applications are not loaded on the system. 2. Select Start > Control Panel > Add or Remove Programs 3. Check for programs services such as: Front Page (as evident by directories which begin _vti ) MS Access MS Excel MS Money MS Word Third party text editors Graphics editors If, after review of the application on the system, the SA cannot provide justification for the requirement of the identified software, this is a finding. NOTE: If the site requires the use of a particular piece of software, the ISSO will need to maintain documentation identifying this software as necessary for operations and the software will be maintained to meet any and all released security patches. In addition, if the software is unsupported, it is not acceptable for use. If this is the case, this should be marked as not a finding.

Query the Information Assurance Officer (IAO) SA, Web Manager, Webmaster, and/or developers to determine if the web server is configured with unnecessary software. Query the SA to determine if processes other than those supporting the web server are loaded and/or run on the web server. Examples of software that should not be on the web server are all web development tools, office suites, (unless the web server is a private web development server) compilers, and utilities that are not part of the web server suite or the basic operating system. 1. Check the directory structure of the server and ensure additional, unintended or unneeded applications are not loaded on the system. 2. Select Start > Control Panel > Add or Remove Programs 3. Check for programs services such as: Front Page (as evident by directories which begin _vti ) MS Access MS Excel MS Money MS Word Third party text editors Graphics editors If, after review of the application on the system, the SA cannot provide justification for the requirement of the identified software, this is a finding. NOTE: If the site requires the use of a particular piece of software, the IAO will need to maintain documentation identifying this software as necessary for operations and the software will be maintained to meet any and all released security patches. In addition, if the software is unsupported, it is not acceptable for use. If this is the case, this should be marked as not a finding.

1. Using User Manager, User Manager for Domains, or Local Users and Groups examine user accounts. 2. Determine if the local sites documentation matches the accounts with access privileges on the server. If documentation does not exist for users and/or groups with access privileges to the web server, this is a finding.

1. Using User Manager, User Manager for Domains, or Local Users and Groups examine user accounts. 2. Determine if the local sites documentation matches the accounts with access privileges on the server. If documentation does not exist for users and/or groups with access privileges to the web server, this is a finding.

IIS: The default server root is %system%\system32\inetsrv. The anonymous web user is IUSR_computername and IWAM_computername, which are created by default when IIS is installed. This account should be part of a group named Guests or WebUsers (IIS Lockdown creates the Web Applications and Web Anonymous Users Groups) and have read and execute permissions only to web content directories. Other permissions are as follows: \inetpub Administrators (Full Control) System (Full Control) Authenticated Users (Read) \inetpub\AdminScripts Administrators (Full Control) System (Full Control) \inetpub\ftproot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\ftproot\ftpfiles Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Read) Web Applications (Read) IIS_WPG (Read) IIS Permissions: Read and None FTP Uploads (if required) \inetpub\ftproot\dropbox Administrators (Full Control) WebAdmins or FTPAdmins (Read,Write,Delete) SpecifiedUsers (Write) IIS Permissions: Write and None \inetpub\mailroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwwroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwroot\docs Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\images Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\scripts Administrators (Full Control) System (Full Control) WebAdmins(Modify) IIS_WPG (Traverse Folder/Execute) Web Anonymous Users (Traverse Folder/Execute) Web Applications (Traverse Folder/Execute) IIS Permissions: Script NOTE: There may additional application specific content directories associated with this web server and they should follow the same guidance as the wwwroot and associated sub-directories for permissions. \WINNT\system32\inetsrv Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\data Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\ASP Compiled Templates Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\History Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmin Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmpwd Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\inetmgr.exe Administrators (Full Control) System (Full Control) Web Admins (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\MetaBack Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\urlscan Administrators (Full Control) System (Full Control) LocalService (Read / Execute) NetworkService (Read/Execute) FILE SPECIFIC PERMISSIONS \WINNT\system32\inetsrv\*.exe \WINNT\system32\inetsrv\*.bat \WINNT\system32\inetsrv\oblt-log.log \WINNT\system32\inetsrv\oblt-rep.log \WINNT\system32\inetsrv\oblt-undo.log \WINNT\system32\inetsrv\oblt-undone.log Administrators (Full Control) System (Full Control) Users (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\metabase.bin \WINNT\system32\inetsrv\metabase.xml \WINNT\system32\inetsrv\MBSchema.xml \WINNT\system32\inetsrv\ MBSchema.bin.00000000h Administrators (Full Control) System (Full Control) If the file permissions do not meet the minimum file permissions listed above, this is a finding. More restrictive file permissions would not be a finding. NOTE: If there is a "Windows\SysWOW64\Inetsrv" present on the system, this check applies to that directory as well. NOTE: To check the file permissions, you will need to navigate the directories or files using a tools such as Windows Explorer, right click on the directory or file that you are reviewing, select properties, then the security tab. The permissions will then be displayed for your review. To check the IIS Permissions, you will need to use the Internet Services Manager, navigate to the web site you are reviewing, select properties, select the Home Directory tab. From here you can review the assigned IIS

The default server root is %system%\system32\inetsrv. The anonymous web user is IUSR_computername, which is created by default when IIS is installed. This account should be part of a group named Guests or WebUsers (IIS Lockdown creates the Web Applications and Web Anonymous Users Groups) and have read and execute permissions only to web content directories. Other permissions are as follows: \inetpub Administrators (Full Control) System (Full Control) Authenticated Users (Read) \inetpub\AdminScripts Administrators (Full Control) System (Full Control) \inetpub\ftproot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\ftproot\ftpfiles Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Read) Web Applications (Read) IIS_WPG (Read) IIS Permissions: Read and None FTP Uploads (if required) \inetpub\ftproot\dropbox Administrators (Full Control) WebAdmins or FTPAdmins (Read,Write,Delete) SpecifiedUsers (Write) IIS Permissions: Write and None \inetpub\mailroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwwroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwroot\docs Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\images Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\scripts Administrators (Full Control) System (Full Control) WebAdmins(Modify) IIS_WPG (Traverse Folder/Execute) Web Anonymous Users (Traverse Folder/Execute) Web Applications (Traverse Folder/Execute) IIS Permissions: Script NOTE: There may be additional application specific content directories associated with this web server and they should follow the same guidance as the wwwroot and associated sub-directories for permissions. \WINNT\system32\inetsrv Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\data Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\ASP Compiled Templates Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\History Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmin Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmpwd Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\inetmgr.exe Administrators (Full Control) System (Full Control) Web Admins (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\MetaBack Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\urlscan Administrators (Full Control) System (Full Control) LocalService (Read / Execute) NetworkService (Read/Execute) FILE SPECIFIC PERMISSIONS: \WINNT\system32\inetsrv\*.exe \WINNT\system32\inetsrv\*.bat \WINNT\system32\inetsrv\oblt-log.log \WINNT\system32\inetsrv\oblt-rep.log \WINNT\system32\inetsrv\oblt-undo.log \WINNT\system32\inetsrv\oblt-undone.log Administrators (Full Control) System (Full Control) Users (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\metabase.bin \WINNT\system32\inetsrv\metabase.xml \WINNT\system32\inetsrv\MBSchema.xml \WINNT\system32\inetsrv\ MBSchema.bin.00000000h Administrators (Full Control) System (Full Control) If the file permissions do not meet the minimum file permissions listed above, this is a finding. More restrictive file permissions would not be a finding. NOTE: If there is a "Windows\SysWOW64\Inetsrv" present on the system, this check applies to that directory as well. NOTE: To check the file permissions, navigate to the directories or files using a tool such as Windows Explorer, right click on the directory or file being reviewed > Select properties > Select security tab. The permissions will then be displayed for your review. To check the IIS Permissions, use the Internet Services Manager, navigate to the web site being reviewed > Select properties > Select the Home Directory tab. From here review the assigned IIS permissions for this web site.

1. Open the Services window > look for the Simple Mail Transfer Protocol (SMTP) service. 2. If the service is running, then this is a finding. 3. Open Add/Remove Programs to see if there are any e-mail programs installed. 4. Search the system to determine if other e-mail programs are running. If there is an e-mail program installed and that program has been configured to accept inbound e-mail, this is a finding. NOTE: If available, telnet to the server under review on port 25. If a response is received, this is a finding.

1. Open the Services window > look for the Simple Mail Transfer Protocol (SMTP) service. 2. If the service is running, then this is a finding. 3. Open Add/Remove Programs to see if there are any e-mail programs installed. 4. Search the system to determine if other e-mail programs are running. If there is an e-mail program installed and that program has been configured to accept inbound e-mail, this is a finding. NOTE: If available, telnet to the server under review on port 25. If a response is received, this is a finding.

1. Select Start > Search > Search for instances of Wscript.exe and Cscript.exe. 2. If found, navigate to these files > right click on them to view their properties. 3. Permissions should only exist for the System, the SA, and Web Manager (i.e. Full Control). 4. User accounts with access to these files that are unknown or unintended to the SA or Web Manager should be removed. If these files have permissions for accounts other than the System, SA, or Web Manager, this is a finding.

1. Select Start > Search > Search for instances of Wscript.exe and Cscript.exe. 2. If found, navigate to these files > right click on them to view their properties. 3. Permissions should only exist for the System, the SA, and Web Manager (i.e. Full Control). 4. User accounts with access to these files that are unknown or unintended to the SA or Web Manager should be removed. If these files have permissions for accounts other than the System, SA, or Web Manager, this is a finding.

Request to see the template file or configuration file of the software being used to accomplish this security task. The monitoring program should provide constant monitoring for these files, and instantly alert the Web Admin of any unauthorized changes. Examples of CGI file extensions include, but are not limited to cgi, asp, aspx, class, vb, php, pl, and c. If the monitoring product configuration does not monitor changes to CGI program files, this is a finding.

Request to see the template file or configuration file of the software being used to accomplish this security task. The monitoring program should provide constant monitoring for these files, and instantly alert the Web Admin of any unauthorized changes. Examples of CGI file extensions include, but are not limited to cgi, asp, aspx, class, vb, php, pl, and c. If the monitoring product configuration does not monitor changes to CGI program files, this is a finding.

The reviewer should query the Information Systems Security Officer (ISSO), SA, Web Manager, Webmaster or developers as necessary to determine whether or not a tested and verifiable backup strategy has been implemented for web server software as well as all web server data files. Proposed Questions: Who maintains the backup and recovery procedures? Do you have a copy of the backup and recovery procedures? Where is the off-site backup location? Is the contingency plan documented? When was the last time the contingency plan was tested? Are the test dates and results documented? If there is not a backup and recovery process for the web server, this is a finding. NOTE: Backup media containing sensitive data needs to be compliant with DoD Memorandum: "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media", dated 3 Jul 2007.

The reviewer should query the Information Assurance Officer (IAO) SA, Web Manager, Webmaster or developers as necessary to determine whether or not a tested and verifiable backup strategy has been implemented for web server software as well as all web server data files. Proposed Questions: Who maintains the backup and recovery procedures? Do you have a copy of the backup and recovery procedures? Where is the off-site backup location? Is the contingency plan documented? When was the last time the contingency plan was tested? Are the test dates and results documented? If there is not a backup and recovery process for the web server, this is a finding. NOTE: Backup media containing sensitive data needs to be compliant with DoD Memorandum: "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media", dated 3 Jul 2007.

The reviewer should review the privileges assigned to the "IUSR_Account". Any group the IUSR_Account is assigned to must not provide authenticated access to the external users. The use of another group created for anonymous access is the acceptable solution for group assignment. 1. Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users. 2. Double click the IUSR_Account > Select “Member of:” tab. If the IUSR_Account is assigned to any group other than a local anonymous group, this is a finding. NOTE: Any associations with the authenticated users group or everyone group would not make this a finding. NOTE: The group created for the anonymous account needs to be restricted to the web directories, and not have access to the entire system.

The reviewer should review the privileges assigned to the "IUSR_Account". Any group the IUSR_Account is assigned to must not provide authenticated access to the external users. The use of another group created for anonymous access is the acceptable solution for group assignment. 1. Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users. 2. Double click the IUSR_Account > Select “Member of:” tab. If the IUSR_Account is assigned to any group other than a local anonymous group, this is a finding. NOTE: Any associations with the authenticated users group or everyone group would not make this a finding. NOTE: The group created for the anonymous account needs to be restricted to the web directories, and not have access to the entire system.

Request a copy of and review the web server’s installation and configuration plan. Ensure the server is in compliance with this plan. If the server is not in compliance with the plan, this is a finding. Query the SA to ascertain if and where the additional services are installed. Confirm the additional service or application is not installed on the same partition as the operating systems root directory or the web document root. If it is, this is a finding.

Request a copy of and review the web server’s installation and configuration plan. Ensure the server is in compliance with this plan. If the server is not in compliance with the plan, this is a finding. Query the SA to ascertain if and where the additional services are installed. Confirm the additional service or application is not installed on the same partition as the operating systems root directory or the web document root. If it is, this is a finding.

Query the SA regarding the publishing of the web server or operating system information. The SA should be able to show that the web server is configured to not display the host operating system of the web server. The reviewer should review the following registry key using the registry editor: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader (REG-DWORD) If the value is not set to 1, this is a finding.

Query the SA regarding the publishing of the web server or operating system information. The SA should be able to show that the web server is configured to not display the host operating system of the web server. The reviewer should review the following registry key using the registry editor: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader (REG_DWORD) If the value is not set to 1, this is a finding.

1. Open IIS Manager > expand the applicable server > select "Web Service Extensions". 2. In the right pane, the Internet Printing extension should be displayed. 3. If the Internet Printing extension is set to "Allowed", this is a finding.

1. Open IIS Manager > expand the applicable server > select "Web Service Extensions". 2. In the right pane, the Internet Printing extension should be displayed. 3. If the Internet Printing extension is set to "Allowed", this is a finding.

Interview the ISSO, the SA, the Web Administrator, or developers as necessary to determine if a classified web server is afforded physical security commensurate with the classification of its content (i.e., is located in a vault or a room approved for classified storage at the highest classification processed on that system). Ask what the classification of the web server is, and based on the classification, evaluate the location of the web server. Determine if it is approved for storage of that classification level. If there is a traditional reviewer available, work with them to address specific conditions or questions. If the web server is not appropriately physically protected based on its classification, this is a finding.

Interview the IAO, the SA, the Web Administrator, or developers as necessary to determine if a classified web server is afforded physical security commensurate with the classification of its content (i.e., is located in a vault or a room approved for classified storage at the highest classification processed on that system). Ask what the classification of the web server is, and based on the classification, evaluate the location of the web server. Determine if it is approved for storage of that classification level. If there is a traditional reviewer available, work with them to address specific conditions or questions. If the web server is not appropriately physically protected based on its classification, this is a finding.

Query the Web Administrator to determine if the site has a detailed process as part of its configuration management plan to stay compliant with all security-related patches. Proposed Questions: How does the SA stay current with web server vendor patches? How is the SA notified when a new security patch is issued by the vendor? What is the process followed for applying patches to the web server (excluding IAVM)? If the site is not in compliance with all applicable security patches, this is a finding.

Query the Web Administrator to determine if the site has a detailed process as part of its configuration management plan to stay compliant with all security-related patches. Proposed Questions: How does the SA stay current with web server vendor patches? How is the SA notified when a new security patch is issued by the vendor? What is the process followed for applying patches to the web server (excluding IAVM)? If the site is not in compliance with all applicable security patches, this is a finding.

Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server. Each web server has its own list of sample files and folders. These may change with the software versions and features utilized on the web server. The following are some examples of what to look for, and should not be considered the definitive list of sample files and folders. If present, remove the following directories: %systemdrive%\inetpub\AdminScripts %systemdrive%\inetpub\scripts\IISSamples If present, remove the following virtual directories: http://localhost/iissamples http://localhost/IISHelp If any sample files or folders are found on the web server, this is a finding. NOTE: The presence of the AdminScripts directory would not be a finding if the permissions are restricted to administrators and Web Admins.

Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server. Each web server has its own list of sample files and folders. These may change with the software versions and features utilized on the web server. The following are some examples of what to look for, and should not be considered the definitive list of sample files and folders. If present, remove the following directories: %systemdrive%\inetpub\AdminScripts %systemdrive%\inetpub\scripts\IISSamples If present, remove the following virtual directories: http://localhost/iissamples http://localhost/IISHelp If any sample files or folders are found on the web server, this is a finding. NOTE: The presence of the AdminScripts directory would not be a finding if the permissions are restricted to administrators and Web Admins.

1. Select Start > Run. 2. Enter %systemroot%\system32\inetsrv into the run dialog box and press OK. 3. Look for the presence of the iisadmpwd directory. 4. If the directory is present and is capable of being removed, this is a finding. NOTE: If the iisadmpwd directory does not exist, this is NOT a finding and the check procedure can stop here. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and restrict access to this directory and files to the system and administrators. 5. If the iisadmpwd directory exists on the server due to a technical inability to delete it, review the permissions on this directory and its files. The permissions should be as follows: Administrators - Full Control System - Full Control 6. If any other user or group has permissions to this directory, this is a finding. 7. If the permissions are set correctly, use the IIS Services Manager and review the web sites to see if there is a virtual directory associated with any of the sites pointing to the iisadmpwd directory. A virtual directory will be a child directory to a web site. 8. If any of these directories point to the iisadmpwd directory, this is a finding, even if the permissions are set correctly. NOTE: There is a possibility the automated check will result in a false positive condition. This could occur if the Administrators account has been renamed. If the account causing the finding has access to this directory is in the Administrators group, this would not be a finding.

1. Select Start > Run. 2. Enter %systemroot%\system32\inetsrv into the run dialog box and press OK. 3. Look for the presence of the iisadmpwd directory. 4. If the directory is present and is capable of being removed, this is a finding. NOTE: If the iisadmpwd directory does not exist, this is NOT a finding and the check procedure can stop here. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and restrict access to this directory and files to the system and administrators. 5. If the iisadmpwd directory exists on the server due to a technical inability to delete it, review the permissions on this directory and its files. The permissions should be as follows: Administrators - Full Control System - Full Control 6. If any other user or group has permissions to this directory, this is a finding. 7. If the permissions are set correctly, use the IIS Services Manager and review the web sites to see if there is a virtual directory associated with any of the sites pointing to the iisadmpwd directory. A virtual directory will be a child directory to a web site. 8. If any of these directories point to the iisadmpwd directory, this is a finding, even if the permissions are set correctly. NOTE: There is a possibility the automated check will result in a false positive condition. This could occur if the Administrators account has been renamed. If the account causing the finding has access to this directory is in the Administrators group, this would not be a finding.

Query the SA or Web Manager to determine if the File System Object is required. If it is, the ISSO will need to document this requirement. Check for the existence of the following registry keys. If either of the following keys exists, the FileSystemObject is enabled: HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} HKEY_CLASSES_ROOT\Scripting.FileSystemObject If the File System Object is registered and is not required for operations, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site is running an application requiring the registration of this object if the site has operational reasons for the use of this object and if the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Query the SA or Web Manager to determine if the File System Object is required. If it is, the IAO will need to document this requirement. Check for the existence of the following registry keys. If either of the following keys exists, the FileSystemObject is enabled: HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} HKEY_CLASSES_ROOT\Scripting.FileSystemObject If the File System Object is registered and is not required for operations, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site is running an application requiring the registration of this object if the site has operational reasons for the use of this object and if the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Check the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters for the following value: SSIEnableCmdDirective REG_DWORD 0. If the key does not exist or if the value is not a REG_DWORD= 0, this is a finding.

Check the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters for the following value: SSIEnableCmdDirective REG_DWORD 0. If the key does not exist or if the value is not a REG_DWORD= 0, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the AllowRestrictedChars key is set to REG_DWORD 0. If the registry key is not set to 0 or does not exist, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the AllowRestrictedChars key is set to REG_DWORD 0. If the registry key is not set to 0 or does not exist, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters EnableNonUTF8. 3. Ensure the value for the EnableNonUTF8 key is REG_DWORD 0. If the registry key is not set to 0 or does not exist, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters EnableNonUTF8. 3. Ensure the value for the EnableNonUTF8 key is REG_DWORD 0. If the registry key is not set to 0 or does not exist, this is a finding.

To verify this setting, use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters FavorUTF8 REG_DWORD 1 If the registry value is not set to 1, this is a finding. NOTE: If check WA000-WI6082 is set correctly to 0, this registry key is optional and would not be a finding if it is not present.

To verify this setting, use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters FavorUTF8 REG_DWORD 1 If the registry value is not set to 1, this is a finding. NOTE: If check WA000-WI6082 is set correctly to 0, this registry key is optional and would not be a finding if it is not present.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxFieldLength key is REG_DWORD 16384 (or less). If the registry value is not set to 16384 (or less) or missing, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxFieldLength key is REG_DWORD 16384 (or less). If the registry value is not set to 16384 (or less) or missing, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxRequestBytes key is set to REG_DWORD 16384 (or less). If the registry key is not set to 16384 (or less) or is missing, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxRequestBytes key is set to REG_DWORD 16384 (or less). If the registry key is not set to 16384 (or less) or is missing, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UrlSegmentMaxLength key is set to REG_DWORD 260 (or less). If the registry key is not set to 260 (or less) or is missing, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UrlSegmentMaxLength key is set to REG_DWORD 260 (or less). If the registry key is not set to 260 (or less) or is missing, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the PercentUAllowed key is set to REG_DWORD 0. If the registry value is not set to 0 or is missing, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the PercentUAllowed key is set to REG_DWORD 0. If the registry value is not set to 0 or is missing, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UriMaxUriBytes key is set to REG_DWORD 262144 (or less). If the registry value is not set to 262144 (or less) or is missing, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UriMaxUriBytes key is set to REG_DWORD 262144 (or less). If the registry value is not set to 262144 (or less) or is missing, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxCount key is set to REG_DWORD 255 (or less). If the registry value is not set to 255 (or less) or is missing, this is a finding.

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxCount key is set to REG_DWORD 255 (or less). If the registry value is not set to 255 (or less) or is missing, this is a finding.