2.1 Ensure 'global authorization rule' is set to restrict access

Information

IIS introduced URL Authorization, which allows the addition of Authorization rules to the actual URL, instead of the underlying file system resource, as a way to protect it. Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. The native URL Authorization module applies to all requests, whether they are .NET managed or other types of files (e.g. static files or ASP files). It is recommended that URL Authorization be configured to only grant access to the necessary security principals.

Rationale:

Configuring a global Authorization rule that restricts access will ensure inheritance of the settings down through the hierarchy of web directories; if that content is copied elsewhere, the authorization rules flow with it. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of accidental or unauthorized access.

Solution

To configure URL Authorization at the server level using IIS Manager:

Connect to Internet Information Services (IIS Manager)

Select the server

Select Authorization Rules

Remove the 'Allow All Users' rule

Click Add Allow Rule...

Allow access to the user(s), user groups, or roles that are authorized across all of the web sites and applications (e.g. the Administratorsgroup)

See Also

https://workbench.cisecurity.org/benchmarks/14293

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: Windows

Control ID: ba9e6aa1ad8fcdecfa02bb79ce3d93f29567f7f0e0f2b6ef678db0276926c874