2.1 Ensure 'global authorization rule' is set to restrict access

Information

IIS introduced URL Authorization, which allows the addition of Authorization rules to the actual URL, instead of the underlying file system resource, as a way to protect it. Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. The native URL Authorization module applies to all requests, whether they are .NET managed or other types of files (e.g., static files or ASP files). It is recommended that URL Authorization be configured to only grant access to the necessary security principals.

Rationale:

Configuring a global Authorization rule that restricts access will ensure inheritance of the settings down through the hierarchy of web directories; if that content is copied elsewhere, the authorization rules flow with it. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of accidental or unauthorized access.

Impact:

If not set properly, the authorization rule could restrict assess at a level that is not intended to be restricted.

Solution

To configure URL Authorization at the server level using command line utilities:
Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config -section:system.webServer/security/authorization /-'[users='*',roles='',verbs='']'

%systemroot%\system32\inetsrv\appcmd set config -section:system.webServer/security/authorization /+'[accessType='Allow',roles='Administrators']'

OR

Enter the following command in PowerShell to configure:

Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/authorization' -name '.' -AtElement @{users='*';roles='';verbs=''}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/authorization' -name '.' -value @{accessType='Allow';roles='Administrators'}

OR

To configure URL Authorization at the server level using IIS Manager:

Connect to Internet Information Services (IIS Manager)

Select the server

Select Authorization Rules

Remove the 'Allow All Users' rule

Click Add Allow Rule...

Allow access to the user(s), user groups, or roles that are authorized across all of the web sites and applications (e.g. the Administrators group)

Default Value:

The default server-level setting is to allow all users access.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|18

Plugin: Windows

Control ID: 7644225d7cba35574dca517cf95c2f5721127962b80993232f22b17408efc1dd