5.5 Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'

Information

Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services.

The recommended state for this setting is: Disabled or Not Installed.

Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services).

Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise.

Rationale:

Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly.

Note: This security concern applies to any web server application installed on a workstation, not just IIS.

Solution

To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed.

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\IIS Admin Service

Impact:

IIS will not function, including Web, SMTP or FTP services.

Default Value:

Not Installed (Automatic when installed)

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: b125d80063f6d6c0f7fa8fe3de02d5de97baac4d99bb60070da679156c4781b7