1.1.6 Configure Anonymous User Identity to Use Application Pool Identity

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Configuring the anonymous user identity to use the application pool identity will help ensure site isolation - provided sites are set to use the application pool identity. Since a unique principal will run each application pool, it will ensure the identity is least privilege. Additionally, it will simplify Site management.

Solution

The Anonymous User Identity can be set to Application Pool Identity by using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the username attribute of the anonymousAuthentication node in the IIS Manager GUI: Open the IIS Manager GUI and navigate to the desired server, site, or application In Features View, find and double-click the Authentication icon Select the Anonymous Authentication option and in the Actions pane select Edit... Choose Application pool identity in the modal window and then press the OK button To use AppCmd.exe to configure anonymousAuthentication at the server level, the command would look like this: %windir%\system32\inetsrv\appcmd set config -section:anonymousAuthentication /username:'' --password

See Also

https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Windows

Control ID: 59c534e88ab125efd99628a789a91bf953423232b5b09464d8a09aee7e6ce49b