U IIS6 Tech Overview V6R13

8/3/2019 U IIS6 Tech Overview V6R13

1/21

UNCLASSIFIED

UNCLASSIFIED

Internet Information Services (IIS) 6

Technology Overview

Version 6, Release 13

28 October 2011

Developed by DISA for the DoD


2/21

IIS6 Technology Overview, V6R13 DISA Field Security Operations

28 October - 2011 Developed by DISA for the DoD

UNCLASSIFIEDii

This page is intentionally left blank.


3/21



UNCLASSIFIED iii

TABLE OF CONTENTS

Page

1. INTRODUCTION................................................................................................................. 11.1 Background ..........................................................................................................................11.2 Authority ..............................................................................................................................11.3 Scope ....................................................................................................................................11.4 Vulnerability Severity Code Definitions ..............................................................................31.5

STIG Distribution .................................................................................................................5

1.6 Document Revisions ............................................................................................................5

2. WEB SERVER AND SITE REQUIREMENTS ................................................................ 72.1 Web Server and Site Definition ...........................................................................................72.2 Web Policy Applicable to All Web Servers and Sites ......................................................72.3 Web Server and Site Topology ............................................................................................72.4 Clarification of Terms ..........................................................................................................8

2.4.1 Private vs. Public Web Server .......................................................................................82.4.2 Roles ..............................................................................................................................9

VMS PROCEDURES ................................................................................................................. 102.5 VMS Process Guide for Reviewers ....................................................................................102.6 VMS Process Guide for System Administrators ................................................................12

APPENDIX A. RELATED PUBLICATIONS ........................................................................ 15Government Publications ...........................................................................................................15Technical Publications ...............................................................................................................15Government and Technical Web Sites .......................................................................................15

APPENDIX B. ACRONYMS ..................................................................................................... 17


4/21



UNCLASSIFIEDiv

The page is intentionally left blank.


5/21



UNCLASSIFIED 1

1. INTRODUCTION1.1 BackgroundMicrosoft Internet Information Server (IIS) is a web server currently licensed and distributed to

the DoD by the Microsoft Corporation. This STIG covers IIS version 6.0 running on Windows

Server 2003. The web server must be configured to protect classified, unclassified, and/or

restricted data, such as Personally Identifiable Information (PII), as well as data approved for

public release. Immediate risks inherent to this role are external attacks and accidental exposure.

Although security controls and infrastructure devices (such as, firewalls, intrusion detection

systems, and baseline integrity checking tools) offer some defense against malicious activity,

security for web servers is best achieved through implementing a comprehensive defense-in-

depth strategy. This strategy should include, but is not limited to, a server configuration to

prevent system compromise; operational procedures for posting data to avoid accidental

exposure; proper placement of the server within the network infrastructure; and the allowance or

denial of Ports, Protocols, and Services (PPS) used to access the web server.

1.2 AuthorityDoD Directive 8500.1 requires all IA and IA-enabled IT products incorporated into DoD

information systems shall be configured in accordance with DoD-approved security

configuration guidelines and tasks DISA to develop and provide security configuration

guidance for IA and IA-enabled IT products in coordination with Director, NSA. This

document is provided under the authority of DoDD 8500.1.

Although the use of the principles and guidelines in this document provide an environment that

contributes to the security requirements of DoD systems operating at Mission AssuranceCategory I through III, applicable DoD Instruction 8500.2 Information Assurance (IA) controls

need to be applied to all systems and architectures.

The Information Operations Condition for the DoD recommends actions during periods when a

heightened defensive posture is required to protect DoD computer networks from attack. The

Information Assurance Officer (IAO) will ensure compliance with the security requirements of

the current INFOCON level and will modify security requirements to comply with this guidance.

1.3 ScopeThis document is a requirement for all DoD-owned information systems and DoD-controlledinformation systems operated by a contractor and/or other entity on behalf of the DoD that

receive, process, store, display, or transmit DoD information, regardless of classification and/or

sensitivity. These requirements are designed to assist Security Managers (SMs), Information

Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System

Administrators (SAs) with configuring and maintaining security controls. This guidance

supports DoD information system design, development, implementation, certification and


6/21



UNCLASSIFIED2

accreditation efforts, but is restricted to policies and configurations specific to web servers and

sites.

Guidance for the configuration of Operating Systems (OSs) will be governed by the specific OS

STIG provided by DISA. Guidance for the use and configuration of technologies, such as mobile

code and Common Gateway Interface (CGI) scripts utilized by hosted applications, will begoverned by the Application Security and Development STIG and mobile code guidance

provided by DISA. Enclave requirements will be governed by the Enclave STIG provided by

DISA. All STIGs are available on the Information Assurance Support Environment (IASE) web

site: http://iase.disa.mil/.


7/21



UNCLASSIFIED 3

1.4 Vulnerability Severity Code DefinitionsSeverity Category Code (CAT) is a measure of risk used to assess a facility or system security

posture. Each security policy specified in this document is assigned a severity code of CAT I, II,

or III. Each policy is evaluated based on the probability of a realized threat occurring and the

expected loss associated with an attack exploiting the resulting vulnerability. Table 1-1 providesthe severity code definitions.

Table 1-1. Vulnerability Severity Category Code Definitions

DISA/DIACAP Category Code

Guidelines

Examples of DISA/DIACAP Category Code

Guidelines

CAT

I

Any vulnerability, the exploitation of

which will, directly and immediately

result in loss of Confidentiality,

Availability or Integrity. An ATO will

not be granted while CAT I weaknessesare present.

Note: The exploitation of vulnerabilities

must be evaluated at the level of the

system or component being reviewed. A

workstation for example, is a stand alone

device for some purposes and part of a

larger system for others. Risks to the

device are first considered, then risks to

the device in its environment, then risks

presented by the device to theenvironment. All risk factors must be

considered when developing mitigation

strategies at the device and system level.

Includes BUT NOT LIMITED to the

following examples of direct and immediate

loss:

1.

May result in loss of life, loss of facilities,or equipment, which would result in

mission failure.

2. Allows unauthorized access to security oradministrator level resources or privileges.

3. Allows unauthorized disclosure of, oraccess to, classified data or materials.

4. Allows unauthorized access to classifiedfacilities.

5. Allows denial of service or denial ofaccess, which will result in mission

failure.6. Prevents auditing or monitoring of cyber

or physical environments.

7. Operation of a system/capability which hasnot been approved by the appropriate

Designated Accrediting Authority (DAA).

8. Unsupported software where there is nodocumented acceptance of DAA risk.

CAT

II

Any vulnerability, the exploitation of

which, has a potential to result in loss of

Confidentiality, Availability or Integrity.

CAT II findings that have been

satisfactorily mitigated will not prevent

an ATO from being granted.






following examples that have a potential to

result in loss:

1. Allows access to information that couldlead to a CAT I vulnerability.

2. Could result in personal injury, damage tofacilities, or equipment which would

degrade the mission.

3. Allows unauthorized access to user orapplication level system resources.


8/21



UNCLASSIFIED4

DISA/DIACAP Category Code

Guidelines

Examples of DISA/DIACAP Category Code

Guidelines




the device in its environment, then riskspresented by the device to the

environment. All risk factors must be



4. Could result in the loss or compromise ofsensitive information.

5. Allows unauthorized access toGovernment or Contractor owned orleased facilities.

6. May result in the disruption of system ornetwork resources that degrades the ability

to perform the mission.

7. Prevents a timely recovery from an attackor system outage.

8. Provides unauthorized disclosure of oraccess to unclassified sensitive, personally

identifiable information (PII), or other data

or materials.

CAT

III

Any vulnerability, the existence of which

degrades measures to protect against loss

of Confidentiality, Availability or

Integrity. Assigned findings that may

impact IA posture but are not required to

be mitigated or corrected in order for an

ATO to be granted.








the device in its environment, then risks

presented by the device to the

environment. All risk factors must be




following examples that provide information

which could potentially result in degradation

of system information assurance measures or

loss of data:

1. Allows access to information that couldlead to a CAT II vulnerability.

2. Has the potential to affect the accuracy orreliability of data pertaining to personnel,

resources, operations, or other sensitive

information.3. Allows the running of any applications,

services or protocols that do not support

mission functions.

4. Degrades a defense in depth systemssecurity architecture.

5. Degrades the timely recovery from anattack or system outage.

6. Indicates inadequate securityadministration.

7. System not documented in the sites C&APackage/System Security Plan (SSP).

8. Lack of document retention by theInformation Assurance Manager (IAM)

(i.e., completed user agreement forms).For web server installations and sites, policies are classified as CAT I if failure to comply may

lead to an exploitation which has a high probability of occurring, does not require specialized


9/21



UNCLASSIFIED 5

expertise or resources, and leads to unauthorized access to sensitive information (e.g., classified).

Exploitation of CAT I vulnerabilities allows an attacker physical or logical access to a protected

asset, privileged access, bypass the access control system, or access to high value assets (e.g.,

classified).

Exploitation of CAT II vulnerabilities also leads to unauthorized access to high valueinformation; however, additional sophistication, information, or multiple exploitations are

needed. Exploitation of CAT II vulnerabilities provides information with a high potential of

allowing access to an intruder but requires one or more of the following: Exploitation of

additional vulnerabilities, exceptional sophistication or expertise, or does not provide direct or

indirect access to high value information (e.g., classified).

A policy with a CAT III severity code requires unusual expertise, additional information,

multiple exploitations, and does not directly or indirectly result in access to high value

information. Exploitation of CAT III vulnerabilities provides information potentially leading to a

compromise. It requires additional information or multiple exploitations to be effective but does

not provide direct access to high value information.

1.5 STIG DistributionParties within the DoD and Federal Government's computing environments can obtain the

applicable STIG from the IASE web site: http://iase.disa.mil/. This site contains the latest

copies of any STIGs, scripts, and other related security information.

1.6 Document RevisionsComments or proposed revisions to this document should be sent via e-mail to the following

address: [email protected]. DISA Field Security Operations (FSO) will coordinate all changerequests with the relevant DoD organizations before inclusion in this document.


10/21



UNCLASSIFIED6

This page is intentionally left blank.


11/21



UNCLASSIFIED 7

2. WEB SERVER AND SITE REQUIREMENTS2.1 Web Server and Site DefinitionA web server is an automated information system managing one or more web sites by passing or

serving up web pages to an Internet browser, such as, Mozilla Firefox or Microsoft InternetExplorer. This document is only applicable to web servers and sites.

2.2 Web Policy Applicable to All Web Servers and SitesWeb Policy requirements are applicable to all web servers and sites. Review Web Policy checks

for all web servers or sites (classified or unclassified) used to process, transmit, store, or connect

to DoD information or enclave resources. These checks should be reviewed before web server

and web site specific technology checks are implemented. These policies are listed in the

Vulnerability Management System (VMS) under the Non-Computing assets, Web Policy asset

posture. The reviewer should create one non-computing asset for policy checks, one computing

asset for a web server review, and one computing asset for each web site hosted on the reviewedweb server.

2.3 Web Server and Site TopologyWeb server and sites operating within an enclave use segregation as a hardening technique. This

approach is intended to quarantine and protect public-facing applications. Additionally,

protections are built into the architecture to segregate restricted and unrestricted applications

from private applications. Figure 2-1 below provides a visual representation of a typical Enclave.


12/21



UNCLASSIFIED8

Figure 2-1. Typical Enclave Network

2.4 Clarification of Terms2.4.1 Private vs. Public Web ServerA DoD private web server as defined by the Department of Defense Instruction 8520.2 is:

E2.1.12. DoD Private Web Server. For unclassified networks, a DoD private web server is any

DoD-owned, operated, or controlled web server providing access to sensitive information thathas not been reviewed and approved for release in accordance with DoD Directive 5230.9

(reference (q)) and DoD Instruction 5230.29 (reference (r)). For Secret Internet Protocol Router

Network and other classified networks that are not accessible to the public, a DoD private web

server is any server that provides access to information that requires need-to-know control or

compartmentation.


13/21



UNCLASSIFIED 9

A DoD public web server is any DoD-owned, operated, or controlled web server providing

access to information that has been reviewed and approved for release in accordance with DoD

Directive 5230.9 and DoD Instruction 5230.29. Given the DoD definition of a private web

server, a public web server may reside on the SIPRNet provided the information published does

not require need-to-know control or compartmentalization.

While posting appropriate data to a properly protected public or private web server is necessary

to facilitate operations, all personnel and other content providers must exercise extreme caution

to ensure they do not post inappropriate material. Current examples of such material include

classified data, data covered by the Privacy Act, unclassified but sensitive data (such as, Health

Insurance Portability and Accountability Act (HIPAA) related information), contract

(procurement) sensitive information, proprietary data, or For Official Use Only (FOUO)

information.

2.4.2 RolesThe roles of the SA, web administrator, or web master are generally understood but the terms are

often used interchangeably. The SA is responsible for the OS, while the web administrator or

web master usually manages the web site or sites. In some cases, the SA is also the web

administrator/web master which is why guidance tends to be written in a certain fashion. The

application development group should refer to the supporting organization for the application,

when application issues arise from meeting IIS STIG requirements. This guidance does not cover

every unique application and configuration.


14/21



UNCLASSIFIED10

VMS PROCEDURES

2.5 VMS Process Guide for Reviewers1. For each host system supporting a web server at least one occurrence of a web server

installation and one occurrence of a web site of the same type and version (IIS6) must be

defined. Further, one occurrence of web policy (non-computing) must also be defined. See

the asset creation instructions for the host asset to create the host asset. Asset

verification/creation must be completed before entering review results for the web server.

Multiple IP and MAC addresses may exist for an asset. Tool results may be imported as long

as those addresses found by the tool are matched in the asset identification. The scripts will

capture only one of each type of address. The engine/instance name is the unique name given

to a specific engine/instance provided by the SA. The site name is the unique name given to

a specific site provided by the SA. The reviewer must choose an engine/instance to associate

with the site using a pull down menu.

Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand Visits- Expand the correct Folder under Visits- Continue expanding folders until reaching the Computing folder- Expand Computing- Expand Must Review- Click the Asset which data is to be imported- Click the Asset Identification tab to confirm:

o I.P. Addresso MAC Address

- Click the Asset Posture tab to confirm:o Applicationo Web Servero Web Server Vendoro Web Server Instance name must match the import file.

First XML IDENTIFIER input tag:

151

IIS Installation 6

IIS-Installation1

o Web Server Site name must match the import file.Second XML IDENTIFIER input tag:

154


15/21



UNCLASSIFIED 11

IIS Site 6

www.sitename.com

2. If the asset is not registered, create asset.

Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand Visits- Expand the correct Folder under Visits- Continue expanding folders until reaching the Computing folder- Click the yellow folder icon located at the right of Computing- Input data on General tab- Click the Asset Identification tab

o Enter I.P. Address, which must match the import file.o Click Addo Enter MAC Address, which must match the import file.o Click Add

- Click the Asset Posture tabo Expand Computingo Expand Applicationo Expand Web Servero Expand the Appropriate Vendor, Instance and Siteo Ensure Instance and Site match the import file.o Once site is entered choose Instance to be associated from pull down menuo Click >>o Click Save

3. Conduct the review using the Gold Disk and save the xml file, which should bevms6x.xml. It can be changed to a name that makes sense for the system being

reviewed.

For example: iis-installation1.xml

4. Import the xml file into VMS.

Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand Visits- Expand the correct Folder under Visits- Continue expanding folders until reaching the Computing folder- Click the blue XML arrow icon located at the right of Computing


16/21



UNCLASSIFIED12

- Click the Browse button- Click the import file- Click the Open button- Click the Submit button

5. If necessary, manually key results into VMS.

Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand Visits- Expand the correct Folder under Visits- Continue expanding folders until reaching the Computing folder- Expand Computing- Expand Must Review- Expand the correct asset- Expand correct WEB vendor/instance or site- Click the vulnerability to be modified

o Edit desired datao Click Saveo (Repeat as necessary)o

2.6 VMS Process Guide for System Administrators1. Ensure the asset is registered in VMS under the correct organization. Ensure the asset has

been assigned an OS. If the OS is Microsoft Windows the OS must also be assigned a role

(Domain Controller, Member Server, etc.). The asset must have at least a web server

installation, one web site, and one web policy instance defined. The engine/instance name is

the unique name given to a specific engine/instance provided by the SA. The site name is the

unique name given to a specific site provided by the SA. The reviewer must choose an

engine/instance to associate with the site using a pull down menu. The asset must also have

the IP and MAC address assigned. The engine/instance, site, IP address, MAC address, and

Asset Name must be identical to their associated XML tags in the vms6x.xml output file.

These descriptions are captured during the execution of the Gold Disk.

Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand By Location- Expand the correct Location- Expand Computing- Click the Asset which data is to be imported- Click the Asset Identification tab to confirm:


17/21



UNCLASSIFIED 13

o I.P. Addresso MAC Address

- Click the Asset Posture tab to confirm:o Applicationo Web Servero Web Server Vendoro Web Server Instance name must match the import file.

First XML IDENTIFIER input tag:

151

Apache Instance 2.x

IIS-Installation1

o Web Server Site name must match the import file.Second XML IDENTIFIER input tag:

154

IIS Site 6www.sitename.com

2. If the asset is not registered, create asset.

Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand By Location- Expand the correct Location- Click the yellow folder icon located at the right of Computing- Input data on General tab- Click the Asset Identification tab

o Enter I.P. Address, which must match the import file.o Click Addo Enter MAC Address, which must match the import file.o Click Add

- Click the Asset Posture tabo Expand Computingo Expand Applicationo Expand Web Servero Expand the Appropriate Vendor, Instance and Siteo Ensure Instance and Site match the import file.o Once site is entered choose Instance to be associated from pull down menuo Click >>o Click Save


18/21



UNCLASSIFIED14

3. Conduct the review using the Gold Disk and save the xml file, which should bevms6x.xml.

For example: iis-installation1.xml

4. Import the xml file into VMS. Access VMS 6.0 Web Application

- Click Asset Finding Maint.- Click Assets / Findings- Expand By Location- Expand the correct Location- Click the blue XML arrow icon located at the right of Computing- Click the Browse button- Click the import file- Click the Open button- Click the Submit button

5. If necessary, manually key results into VMS.

Access VMS 6.0 Web Application- Click Asset Finding Maint.- Click Assets / Findings- Expand By Location- Expand the correct Location- Expand Computing- Expand the correct asset- Expand correct WEB vendor/instance or site- Click the vulnerability to be modified

o Edit desired datao Click Saveo (Repeat as necessary)


19/21



UNCLASSIFIED 15

APPENDIX A. RELATED PUBLICATIONS

Government Publications

Department of Defense, DoD Directive (DoDD) 8500.1, Information Assurance, 24 October

2002.

Department of Defense, DoD Instruction (DoDI) 8500.2, Information Assurance IA

Implementation, 6 February 2003.

Department of Defense, DoD Instruction (DoDI) 8520.2 Public Key Infrastructure (PKI) and

Public Key (PK) Enabling, April 2004.

Department of Defense, DoD Instruction (DoDI) 8551.1, "Ports, Protocols, and Services

Management (PPSM)," 13 August 2004.

Chairman of the Joint Chiefs of Staff (CJCS) Manual 6510.01A, " Information Assurance (IA)and Computer Network Defense (CND) Volume I (Incident Handling Program)," 24 June 2009.

Department of Defense, DoD Instruction (DoDI) 8510.01 DoD Information Assurance

Certification and Accreditation Process,April 2004.

National Institute of Standards and Technology (NIST), Guidelines on Securing Public Web

Servers, Special Publication 800-44.

Web Server Security Technical Implementation Guide (STIG) V7R1, 20 September 2010.

Technical Publications

Center for Internet Security Benchmark for IIS 5.0 and 6.0 for Microsoft Windows 2000, XP, and

Server 2003, version 1.0.0, 15 August 2007

Government and Technical Web Sites

http://iase.disa.mil Defense Information Systems Agency

http://www.disa.mil/handbook/toc.html DISA Web Handbook

http://www.cert.org A Focal point for the computer security

concerns of Internet users

http://csrc.nist.gov/publications National Institute of Standards andTechnology's Computer Security

Resource Clearinghouse

http://www.defenselink.mil/Webmasters DoD Web Site Administration Policy

http://www.w3.org/ Information and Resources on

everything Web


20/21



UNCLASSIFIED16

http://www.owasp.org Foundation dedicated to improving web

security

http://cisecurity.org/en-us/?route=default& Center for Internet Security.


21/21



APPENDIX B. ACRONYMS

ATO Authority To Operate

C&A Certification and Accreditation

CAT Category Codes (for Mission Assurance Category)

CIO Chief Information Officer

CNDSP Computer Network Defense Service Provider

COTS Commercial Off The Shelf

CTO Communication Tasking Order

DAA Designated Accrediting Authority

DIACAP Department of Defense (DoD) Information Assurance

Certification and Accreditation (C&A) Process

DISA Defense Information Systems Agency

DMZ Demilitarized Zone

DoD Department of Defense

DoDD DoD DirectiveDoDI DoD Instruction

FSO Field Security Operations

GOTS Government Off The Shelf

IA Information Assurance

IAM Information Assurance Manager

IAO Information Assurance Officer

IASE Information Assurance Support Environment

IAVM Information Assurance Vulnerability Management

INFOCON Information Operations Condition

JTF-GNO Joint Task Force - Global Network Operations

MAC Mission Assurance CategoryNIPRNet Non-classified Internet Protocol Router Network

OS Operating System

PII Personally Identifiable Information

PPS Ports, Protocols, and Services

SA System Administrator

SM Security Manager

SSP System Security Plan

STIG Security Technical Implementation Guide

URL Uniform Resource Locator

U IIS6 Tech Overview V6R13

Documents

Transcript of U IIS6 Tech Overview V6R13