Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
1. From a command prompt, type "net share" and press Enter to provide a list of available shares (including printers). 2. To display the permissions assigned to the shares type "net share" followed by the share name found in the previous step. If any private assets are assigned permissions to the share, this is a finding. If any printers are shared, this is a finding.
Configure the public web server to not have a trusted relationship with any system resource that is also not accessible to the public. Web content is not to be shared via Microsoft shares or NFS mounts.
1. Go to Start, Administrative Tools, and then Services. 2. Right-click on service name World Wide Web Publishing Service, Select Properties, and then select the Log On tab. 3. If “Local System account” is selected for the logon account, this is not a finding. If the “This account” option is selected, the username given is the web service account ID. 4. Open a command prompt and enter Net User [service account ID], press Enter. 5. Verify the values for Password last set and Password expires to ensure the password has been changed in the past year and will be required to change within the coming year.
Configure the service account ID used to run the web-site to have its password changed at least annually, or use the local system account.
Using Windows Explorer and/or add-remove programs, search the system for the existence of known compilers, such as, msc.exe, msvc.exe, Python.exe, javac.exe, Lcc-win32.exe, or equivalent. If a compiler is found on the production server, this is a finding. NOTE: If the web server is part of an application suite and a compiler is needed for installation, patching, and upgrading of the suite or if the compiler is embedded and can't be removed without breaking the suite, document the installation of the compiler with the ISSO/ISSM and verify that the compiler is restricted to administrative users only. If documented and restricted to administrative users, this is not a finding.
Remove any compiler found on the production web server, but if the compiler program is needed to patch or upgrade an application suite in a production environment or the compiler is embedded and will break the suite if removed, document the compiler installation with the ISSO/ISSM and ensure that the compiler is restricted to only administrative users.
Interview the SA or web administrator to see where the public web server is logically located in the data center. Review the site’s network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site’s network diagram. An improperly located public web server is a potential threat to the entire network. If the web server is not isolated in an accredited DoD DMZ Extension, this is a finding.
Logically relocate the public web server to be isolated from internal systems. In addition, ensure the public web server does not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) other than application and/or database servers that are a part of the same system as the web server.
Perform a check of the site’s network diagram and a visual check of the web server. The private web server must be located on a separately controlled access subnet and not part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population LAN. If the web server is not located inside the premise router, switch, or firewall, and is not isolated via a controlled access mechanism from the general population LAN, this is a finding.
Isolate the private web server from the public DMZ and separate it from the internal general population LAN. This separation must have access control in place to protect the web server from internal threats.
1. Open the IIS Manager. 2. Click Help, and select About Internet Information Services. 3. If the version is less than 7.0, this is a finding.
Install the current version of the web server software and maintain appropriate service packs and patches.
Obtain a list of the user accounts for the system, noting the priviledges for each account. Verify with the system administrator or the ISSO that all privileged accounts are mission essential and documented. Verify with the system administrator or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented. If undocumented privileged accounts are found, this is a finding. If undocumented access to shell scripts or operating system functions is found, this is a finding.
Ensure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities.
1. Open the IIS Manager and select Properties. 2. Select the Shortcut tab, and then left-click Open File Location. 3. Right-click InetMgr.exe, then click Properties from the context menu. 4. Select the Security tab. 5. Review the groups and user names. The following account may have Full control priviledges: TrustedInstaller The following accounts may have read & execute, and read permissions: Administrators (non-elevated) System Users Specific users may be granted read & execute and read permissions. Compare the local documentation authorizing specific users, against the specific users observed in step 5. If any other access is observed, this is a finding.
Restrict access to the web administration tool to only the web manager and the web manager’s designees.
Review programs installed on the OS. 1. Open Control Panel. 2. Open Programs and Features. 3. The following programs may be installed without any additional documentation: Administration Pack for IIS 7.0 IIS Search Engine Optimization Toolkit Microsoft .NET Framework version 3.5 SP1 or greater Microsoft Web Platform Installer version 3.x or greater Virtual Machine Additions 4. Review the installed programs, if any programs are installed other than those listed above, this is a finding. NOTE: If additional software is needed and has supporting documentation signed by the ISSO, this is not a finding.
Remove all unapproved programs and roles from the production web server.
Determine if the local sites' documentation matches an examination of the privileged IDs on the server. Using User Manager, User Manager for Domains, or Local Users and Groups, examine user accounts to verify the above information. If documentation does not exist for users and groups found on the server, this is a finding.
Document the administrative users and groups which have access rights to the web server in the website SOP or an equivalent document.
1. Open Explorer and navigate to the inetpub directory. 2. Right-click inetpub and select Properties. 3. Click the Security tab. 4. Verify the permissions for the following users; if the permissions are less restrictive, this is a finding. System: Full control Administrators: Full control TrustedInstaller: Full control Users: Read & execute, list folder contents Creator/Owner: Special permissions to subkeys
1. Open Explorer and navigate to the inetpub directory. 2. Right-click inetpub and select Properties. 3. Click the Security tab. 4. Set the following permissions: System: Full control Administrators: Full control TrustedInstaller: Full control Users: Read & execute, list folder contents Creator/Owner: special permissions to subkeys
1. Open the Task Manager. 2. Click the Services tab and look for SMTP service. If the service is running, then this is a finding. 3. Open Add/Remove Programs to see if there are any e-mail programs installed. Search the system to determine if other e-mail programs are running. If there is an e-mail program installed and that program has been configured to accept inbound e-mail, this is a finding. 4. If available, telnet to the server under review on port 25. If a response is received, this is a finding.
1. Disable the SMTP service. 2. If other e-mail programs are running remove the programs.
Search the system for files with either .java or .jpp extensions. If files with .java or .jpp extensions are found, this is a finding.
Remove all files from the web server with either .java and .jpp extensions.
Request to see the template file or configuration file of the software being used to accomplish this security task. The monitoring program should provide constant monitoring for these files, and instantly alert the web administrator of any unauthorized changes. Example CGI file extensions include, but are not limited to, .cgi, .class, .vb, .php, .pl, and .c. If the monitoring product configuration does not monitor changes to CGI program files, this is a finding.
Configure the monitoring tool to include CGI type files or equivalent programs directory.
Check the account used for anonymous access to the web site. 1. Open the IIS Manager. 2. Click the site being reviewed. 3. Double-click Authentication in the IIS section of the web site’s Home Pane. If Anonymous access is disabled, this check may end here, and is considered not a finding. 4. If enabled, left-click Anonymous Authentication, and then left-click Edit in the Actions pane. 5. If the Specific user radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Check privileged groups that may allow the anonymous account inappropriate membership. 1. Left-click Start and then double-click Server Manager. 2. Expand Configuration; expand Local Users and Groups; and then left-click Groups. 3. Review group members. Privileged Groups: Administrators Backup Operators Certificate Services (of any designation) Distributed COM users Event Log Readers Network Configuration Operators\Performance Log Users Performance Monitor Users Power Users Print Operators Remote Desktop Users Replicator Users 4. Double-click each group and review its members. If the IUSR account or any account used for anonymous access is a member of any group with privileged access, this is a finding.
Remove the Anonymous access account from all privileged accounts and all privileged groups.
Request a copy of and review the web server's installation and configuration plan for required services. Ensure the server only has the required services installed as documented in the installation and configuration plan. If the server has any additional services, this is a finding.
Remove any services or applications that are not required.
If the Print Services role and the Internet Printing role are not installed, this check is N/A. Navigate to the following directory: %windir%\web\printers If this folder exists, this is a finding. Determine whether Internet Printing is enabled: 1. Click Start, then click Administrative Tools, and then click Server Manager. 2. Expand the roles node, then right-click Print Services, and then select Remove Roles Services. 3. If the Internet Printing option is enabled, this is a finding.
1. Click Start, then click Administrative Tools, and then click Server Manager. 2. Expand the roles node, then right-click Print Services, and then select Remove Roles Services. 3. If the Internet Printing option is checked, clear the check box, click Next, and then click Remove to complete the wizard.
Interview the ISSO, the SA, the web administrator, or developers as necessary to determine if a classified web server is afforded physical security commensurate with the classification of its content (i.e., is located in a vault or a room approved for classified storage at the highest classification processed on that system). Ask what the classification of the web server is. Based on the classification, evaluate the location of the web server to determine if it is approved for storage of that classification level. If there is a traditional reviewer available, work with him/her to address specific conditions or questions. If the web server is not appropriately physically protected based on its classification, this is a finding.
Relocate the web server to a location appropriate to classified devices.
1. Navigate to the following folders: inetpub\AdminScripts inetpub\scripts\IISSamples Program Files\Common Files\System\msadc Program Files (x86)\Common Files\System\msadc 2. If the folders contain sample code and documentation, this is a finding. Note: Any non-executable web server documentation or sample file found on the production web server and accessible to web users or non-administrators will be a CAT III finding. Any non-executable web server documentation or sample file found on the production web server and accessible only to SAs or to web administrators is permissible and is not a finding.
Remove sample code and documentation from the web server.
Verify Certificate Revocation List (CRL) validation is enabled on the server. Open a Command Prompt and enter the following command: netsh http show sslcert Note the value assigned to the Verify Client Certificate Revocation element. If the value of the Verify Client Certificate Revocation element is not enabled, this is a finding.
Using vendor documentation as guidance, reconfigure the web server to utilize certificate with an approved certificate validation process: netsh http add sslcert Alternatively, configure existing certificate to validate certifcate revocation: Open registry, locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443\DefaultSslCertCheckMode Modify the value to 0 Restart server
1. Locate the HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} registry key. If the key exist, the File System Object component is enabled. 2. If the File System Object component is enabled and is not required for operations, this is a finding. NOTE: If the File System Object component is required for operations and has supporting documentation signed by the ISSO, this is not a finding.
Run the following command, with adminstrator priviledges, to unregister the File System Object: regsvr32 scrrun.dll /u. Note: Make sure the Administrators group owns and has full permissions to the registry value HKCR\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0\0\win32 before trying to unregister the dll. Without the Administrators group owning and having full control of this key, the unregister command will error.
1. Open the IIS Manager. 2. Click the Server. 3. Double-click the Directory Browsing icon. 4. Under the Actions Pane verify Directory Browsing is disabled. If not, this is a finding.
1. Open the IIS Manager. 2. Click the Server. 3. Double-click the Directory Browsing icon. 4. Under the Actions Pane click Disabled.
1. Open the IIS Manager. 2. Click the Server. 3. Double-click the ISAPI and CGI restrictions icon. 4. Click Edit Feature Settings and verify the CGI and ISAPI Modules are NOT checked. If they are checked, this is a finding.
1. Open the IIS Manager. 2. Click the Server. 3. Double-click the ISAPI and CGI restrictions icon. 4. Click Edit Feature Settings and uncheck the CGI and ISAPI Modules check boxes.
1. Open the IIS Manager. 2. Click the Server. 3. Double-click the Authorization Rules icon. 4. If any user other then Administrator is listed, this is a finding.
1. Open the IIS Manager. 2. Click the Server. 3. Double-click the Authorization Rules icon. 4. Remove all users other than Administrator.
Procedure: Open IIS Manager, Select Help, Select About IIS. Microsoft support for Internet Information Services (IIS) 7 ended 2020 January. If IIS 7 is installed on a system, this is a finding.
Upgrade IIS to a supported software version.