Details

The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they’ve been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1 or MD5.

Authentication credentials should always be protected to reduce the risk of stolen authentication credentials. For security reasons, it is recommended that user credentials not be stored an any IIS configuration files.

Solution

Authentication mode is configurable at the machine.config, root-level web.config, or application-level web.config:

1. Locate and open the configuration file where the credentials are stored
2. Find the element
3. If present, remove the section

This will remove all references to stored users in the configuration files.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/166

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Windows.

References

• 800-53|IA-5(1)(c)
• CSCv6|16.13
• CSCv6|16.14

Source

• Tenable.com/audits