5.1 Ensure Default IIS web log location is moved

Information

IIS will log relatively detailed information on every request. These logs are usually the first item looked at in a security response and can be the most valuable. Malicious users are aware of this and will often try to remove evidence of their activities.

It is recommended that the default location for IIS log files be changed to a restricted, non-system drive.

Rationale:

Moving IIS logging to a restricted, non-system drive will help mitigate the risk of logs being maliciously altered, removed, or lost in the event of system drive failure(s).

Impact:

If an administrator needs access to the log file, that does not have drive permission, they will be unable to view that file.

Solution

Moving the default log location can be easily accomplished using the Logging feature in the IIS Management UI, AppCmd.exe, or PowerShell.

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config -section:sites -siteDefaults.logfile.directory:<new log location>

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/sites/siteDefaults/logFile' -name 'directory' -value <new log location>

Moving log file stores to a non-system drive or partition separate from where web applications run and/or content is served is preferred. Additionally, folder-level NTFS permissions should be set as restrictive as possible; Administrators and SYSTEM are typically the only principals requiring access.

While standard IIS logs can be moved and edited using IIS Manager, additional management tool add-ons are required in order to manage logs generated by other IIS features, such as Request Filtering and IIS Advanced Logging. These add-ons can be obtained using the Web Platform Installer or from Microsoft's site. The HTTPErr logging location can be changed by adding a registry key.

Default Value:

The default location for web logs in IIS is: %SystemDrive%\inetpub\logs\LogFiles.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv7|6.4

Plugin: Windows

Control ID: a8ebf3f51782c0aad981e9e9ba674d28004f294cfc803ffad9500131c5c14fc9