Using Compliance analysis to check IIS Compliance
IIS Compliance is typically used by companies that use Windows-based IIS web servers to host web applications. In addition to regulatory and operational compliance, such servers are required to be compliant with IIS compliance rules. This section describes the list of rules and the procedure to build these compliance rules for IIS web servers. The set of rules described and built here is not all-inclusive and may vary from customer to customer.
Rule Reference Number | Rule |
|---|---|
1.1 | Ensure BackGround Intelligent Transfer Service is disabled |
1.2 | Ensure World Wide Web Service is enabled |
2.1 | Check permissions on inetpub directory |
2.2 | Check permissions on inetpub/AdminScripts directory |
2.3 | Check permissions on inetpub/wwwroot directory |
2.4 | Check permissions on inetserv directory |
2.5 | Check permissions on inetserv/iisadmpwd directory |
2.6 | Check permissions on inetserv/inetmgr.exe file |
3.1 | Check Guest Account Status |
3.2 | IUSR_<servername> account should not exist as local user on target servers |
4.1 | Check that all web server extensions are disabled |
4.2 | Web sites should be restricted from ‘write’, ‘script’ or ‘source’ access |
4.3 | Check location of root web folder |
4.4 | Limit number of connection to websites |
4.5 | Check status of Rapid fail protection on App pool |
4.6 | Anonymous username IUSR is not used on any sites |
4.7 | Directory browsing should be disabled on folders containing scripts or executables |
5.1 | Check IIS role services |
6.1 | Web folders should not be shared on IIS server |
Following are the high level steps involved in setting up the IIS Compliance:
- Creating IIS compliance template and rules
- Creating IIS compliance discovery and compliance jobs
- Executing discovery and compliance jobs
- Viewing compliance results
The first step to achieve IIS compliance is to create an IIS compliance template
This step consists of the following sub-steps:
- Creating a new template
- Creating local extended objects
- Add parts to template
- Creating rules in the template
Local Extended Objects Required for IIS Compliance Template
To create rules 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 5.1, and 6.1, first create extended objects local to the component template. The respective local extended objects with the scripts they use are provided below.
NOTE: The location "//blfs/E/Program Files/BMC Software/BladeLogic/NSH/storage/extended_objects/CF_Custom_EO" in the commands below could vary from customer to customer. This location is provided as an example only.
IIS WebServer Extensions (Reference# 4.1)
The local extended object for IIS WebServer Extensions consists of the following:
COMMAND: nsh -c "//blfs/E/Program Files/BMC Software/BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListIISWebServExt.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that lists all the webserver extensions.
IIS Scripts Access (Reference# 4.2)
The local extended object for IIS Scripts Access consists of the following:
COMMAND: nsh -c "//blfs/E/Program Files/BMC Software/BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListIISScriptWriteAccess.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that checks source, script and write access on web application.
IIS Root Web Folders (Reference# 4.3)
The local extended object for IIS Root Web Folders consists of the following:
COMMAND: nsh -c "//blfs/E/Program Files/BMC Software/BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListIISRootFolder.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that checks if root web folder is separate from the OS directory.
IIS Web Connections (Reference# 4.4)
The local extended object for IIS Root Web Folders consists of the following:
COMMAND: nsh -c "//blfs/E/Program Files/BMC Software/BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListIISConnLimit.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that checks to ensure unlimited number of connections to websites are not allowed.
IIS Rapid Fail Protection (Reference# 4.5)
The local extended object for IIS Root Web Folders consists of the following:
COMMAND: nsh -c "//blfs/E/Program Files/BMC Software/BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListIISAppRapid.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that checks to make sure rapid fail protection is enabled on the application pool.
IIS Anonymous User (Reference# 4.6)
The local extended object for IIS Root Web Folders consists of the following:
COMMAND: nsh -c "//blfs/E/Program Files/BMC Software/ BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListIISAnonAccess.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that checks to make sure anonymous username IUSR is not used on any sites.
IIS Directory Browsing (Reference# 4.7)
The local extended object for IIS Root Web Folders consists of the following:
COMMAND: nsh -c "//blfs/E/Program Files/BMC Software/ BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListIISDirBrowse.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that checks to make sure directory browsing is disabled on folders containing scripts or executables.
IIS Role Services (Reference# 5.1)
The local extended object for IIS Root Web Folders consists of the following:
COMMAND: nsh -c "//blfs/E/Program Files/BMC Software/BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListServerRoles.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that checks the list of IIS role services installed on target.
IIS Shared Web Folders (Reference# 6.1)
The local extended object for IIS Root Web Folders consists of the following:
COMMAND: nsh -c "//bsarasvr/C/Program Files/BMC Software/BladeLogic/NSH/storage/extended_objects/CF_Custom_EO/ListSharedWebFolders.nsh" "??TARGET.NAME??"
TYPE: Central Execution
GRAMMAR: CSV File Grammar
is the NSH script which acts as a wrapper around a vb script that checks to make sure web folders are not shared on IIS server.
Parts required for IIS Compliance Template
The following parts are required to build the rules within IIS Compliance Template:
Type | Name |
Directory | /C/inetpub |
Directory | /C/inetpub/AdminScripts |
Directory | /C/inetpub/wwwroot |
Directory | /C/Windows/system32/inetsrv |
Directory | /C/Windows/system32/inetsrv/iisadmpwd |
File | /C/Windows/system32/inetsrv/inetmgr.exe |
Windows Group List | Local Groups |
Windows User List | Local Users |
Security Settings Category | Security Settings |
Windows Service List | Services |
Local Extended Object | IIS Anonymous User |
Local Extended Object | IIS Directory Browsing |
Local Extended Object | IIS Rapid File Protection |
Local Extended Object | IIS Role Services |
Local Extended Object | IIS Root Web Folders |
Local Extended Object | IIS Scripts Access |
Local Extended Object | IIS Shared Web Folders |
Local Extended Object | IIS Web Connections |
Local Extended Object | IIS Web Server Extensions |
Compliance Rules for IIS Compliance
The following table lists the rules used for IIS Compliance with their reference numbers and rule definitions:
Rule Reference Number | Rule Definition |
1.1 | if "Windows Service:Background Intelligent Transfer Service" exists then "Windows Service:Background Intelligent Transfer Service"."Start Type (Windows)" = "DISABLED" AND "Windows Service:Background Intelligent Transfer Service"."State (Windows)" = "STOPPED" end |
1.2 | if "Windows Service:World Wide Web Publishing Service" exists then "Windows Service:World Wide Web Publishing Service"."Start Type (Windows)" = "AUTO_START" AND "Windows Service:World Wide Web Publishing Service"."State (Windows)" = "RUNNING" end |
2.1 | if "Directory:/C/Inetpub" exists then "Directory:/C/Inetpub"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\ADMINISTRATORS Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "Directory:/C/Inetpub"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\SYSTEM Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "Directory:/C/Inetpub"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\USERS Allow [+List Folder/Read Data, +Read Extended Attributes, +Read Attributes, +Read Permissions, -Create Files/Write Data, -Create Folders/Append Data, -Write Extended Attributes, -Traverse Folder/Execute File, -Delete Subfolders and Files, -Write Attributes, -Delete, -Change Permissions, -Take Ownership]""" end |
2.2 | if "Directory:/C/Inetpub/AdminScripts" exists then "Directory:/C/Inetpub/AdminScripts"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\ADMINISTRATORS Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "Directory:/C/Inetpub/AdminScripts"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\SYSTEM Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" end |
2.3 | if "Directory:/C/Inetpub/wwwroot" exists then "Directory:/C/Inetpub/wwwroot"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\ADMINISTRATORS Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "Directory:/C/Inetpub/wwwroot"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\SYSTEM Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "Directory:/C/Inetpub/wwwroot"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\USERS Allow [+List Folder/Read Data, +Read Extended Attributes, +Read Attributes, +Read Permissions, -Create Files/Write Data, -Create Folders/Append Data, -Write Extended Attributes, -Traverse Folder/Execute File, -Delete Subfolders and Files, -Write Attributes, -Delete, -Change Permissions, -Take Ownership]""" end |
2.4 | if "Directory:??TARGET.WINDIR??/system32/inetsrv" exists then "Directory:??TARGET.WINDIR??/system32/inetsrv"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\ADMINISTRATORS Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "Directory:??TARGET.WINDIR??/system32/inetsrv"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\SYSTEM Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "Directory:??TARGET.WINDIR??/system32/inetsrv"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\USERS Allow [+List Folder/Read Data, +Read Extended Attributes, +Traverse Folder/Execute File, +Read Attributes, +Read Permissions, -Create Files/Write Data, -Create Folders/Append Data, -Write Extended Attributes, -Delete Subfolders and Files, -Write Attributes, -Delete, -Change Permissions, -Take Ownership]""" end |
2.5 | if "Directory:??TARGET.WINDIR??/system32/inetsrv/iisadmpwd" exists then "Directory:??TARGET.WINDIR??/system32/inetsrv/iisadmpwd"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\ADMINISTRATORS Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "Directory:??TARGET.WINDIR??/system32/inetsrv/iisadmpwd"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\SYSTEM Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" end |
2.6 | if "File:/C/WINDOWS/system32/inetsrv/inetmgr.exe" exists then "File:/C/WINDOWS/system32/inetsrv/inetmgr.exe"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\ADMINISTRATORS Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" AND "File:/C/WINDOWS/system32/inetsrv/inetmgr.exe"."Permission ACL (Windows NTFS) (Windows)" has ACE matching mask """*\SYSTEM Allow [+List Folder/Read Data, +Create Files/Write Data, +Create Folders/Append Data, +Read Extended Attributes, +Write Extended Attributes, +Traverse Folder/Execute File, +Delete Subfolders and Files, +Read Attributes, +Write Attributes, +Delete, +Read Permissions, +Change Permissions, +Take Ownership]""" end |
3.1 | "Security Setting:Security Settings\Local Policies\Security Options\Accounts: Guest account status"."Local setting as Integer Value (Windows)" = 0 AND "Security Setting:Security Settings\Local Policies\Security Options\Accounts: Guest account status"."Effective setting as Integer Value (Windows)" = 0 |
3.2 | NOT ("Windows Group:Users"."User Members (Windows)" contains "IUSR_??TARGET.NAME??") |
4.1 | if "Extended Object Entry:IIS Web Server Extensions//**" exists then foreach "Extended Object Entry:IIS Web Server Extensions//**" "Value1 as String (All OS)" does not contain "Allowed" end end |
4.2 | if "Extended Object Entry:IIS Scripts Access//**" exists then foreach "Extended Object Entry:IIS Scripts Access//**" "Value1 as String (All OS)" != "True" end end |
4.3 | if "Extended Object Entry:IIS Root Web Folders//**" exists then foreach "Extended Object Entry:IIS Root Web Folders//**" if Name contains "Virtual Directory Path" then "Value1 as String (All OS)" starts with "c:\inetpub" end end end |
4.4 | if "Extended Object Entry:IIS Web Connections//**" exists then foreach "Extended Object Entry:IIS Web Connections//**" if Name contains "Maximum Connections" then "Value1 as String (All OS)" != "Unlimited" end end end |
4.5 | if "Extended Object Entry:IIS Rapid File Protection//**" exists then foreach "Extended Object Entry:IIS Rapid File Protection//**" if Name contains "Rapid Fail Protection" then "Value1 as String (All OS)" = "True" end end end |
4.6 | if "Extended Object Entry:IIS Anonymous User//**" exists then foreach "Extended Object Entry:IIS Anonymous User//**" if Name contains "Annonymous Access Account" then "Value1 as String (All OS)" does not contain "IUSR" end end end |
4.7 | if "Extended Object Entry:IIS Directory Browsing//**" exists then foreach "Extended Object Entry:IIS Directory Browsing//**" if Name contains "Directory Browsing" then "Value1 as String (All OS)" = "False" end end end |
5.1 | if "Extended Object Entry:IIS Role Services//**" exists then "Extended Object Entry:IIS Role Services//Web Server:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Common HTTP Features:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Static Content:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Default Document:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Directory Browsing:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//HTTP Errors:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//HTTP Redirection:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//WebDav Publishing:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Application Development:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//ASP.NET:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//.NET Extensibility:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//ASP:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//CGI:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//ISAPI Extensions:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//ISAPI Filters:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Server Side Includes:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Health and Diagnostics:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//HTTP Logging:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Logging Tools:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Request Monitor:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Tracing:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Custom Logging:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//ODBC Logging:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Security:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Basic Authentication:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Windows Authentication:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Digest Authentication:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Client Certificate Mapping Authentication:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//IIS Client Certificate Mapping Authentication:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//URL Authorization:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Request Filtering:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//IP and Domain Restrictions:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Performance:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Static Content Compression:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Dynamic Content Compression:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//Management Tools:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//IIS Management Console:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//IIS Management Scripts and Tools:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//Management Service:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//IIS 6 Management Compatibility:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//IIS 6 Metabase Compatibility:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//IIS 6 WMI Compatibility:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//IIS 6 Scripting Tools:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//IIS 6 Management Console:*"."Value1 as String (All OS)" = "Installed" AND "Extended Object Entry:IIS Role Services//FTP Server:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//FTP Service:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//FTP Extensibility:*"."Value1 as String (All OS)" = "Not Installed" AND "Extended Object Entry:IIS Role Services//IIS Hostable Web Core:*"."Value1 as String (All OS)" = "Not Installed" end |
6.1 | if "Extended Object Entry:IIS Shared Web Folders//**" exists then foreach "Extended Object Entry:IIS Shared Web Folders//**" if Name contains "Shared WebFolder:" then "Value1 as String (All OS)" = "-None-" end end end |
A full construction document for building customized IIS Compliance including the template, rules, discovery and compliance jobs is .