I want to thank the anonymous commenter on my previous post regarding IIS 7. I was out testing this past week on a very long engagement when our team came across two IIS 7 servers. After learning of the servers existence, I went to the Center for Internet Security's benchmark tools, and downloaded their IIS 7 Benchmark, which is at version 1.0. (I would hard link to it, but you need to fill out a form first - and the link is wonky after filling out the form.)
I used the guide to go through the IIS servers, and I have to say it's pretty easy and straightforward. Of course, the guide is not as in-depth as a typical DISA STIG/Checklist, but it covered much of the low hanging fruit. The guide was easy to read, easy to follow, and even gave remediation advice. I wholeheartedly recommend the guide for auditing IIS 7 servers until DISA puts out an official checklist.
Subscribe to:
Post Comments (Atom)
When you run these tools, are you running them from your hosts, or installing them on the actual target? The reason I ask is, how are you getting around these tools not being DADMS compliant? No, I'm being a smarty, having to do a lot of this myself, I want to know if there is a legitimate way of using those tools. After all, I can't gig someone for using unauthorized tools if I'm using them myself. Oh yeah, I love this site, you can look for a lot more questions and comments from me; thanks!
ReplyDeleteFrank, Thanks for the comment. Bear in mind that this post was written in February of 2011. At that time, there was no guidance on IIS 7. As I check DISA's site, I see that the STIG actually came out the end of October. The guidance I have always been given is to use "best practice" when there is not a STIG for a given technology. So, for this test, I used the CIS benchmark. (I printed the benchmark out and went through it like a checklist.)
ReplyDelete