Configuring a global Authorization rule that restricts access will ensure inheritance of the
settings down through the hierarchy of web directories; if that content is copied elsewhere,
the authorization rules flow with it. This will ensure access to current and future content is
only granted to the appropriate principals, mitigating risk of accidental or unauthorized
access.
Audit:
At the web site or application level, verify that the authorization rule configured has been
applied:
- Connect to Internet Information Services (IIS Manager)
- Select the site or application where Authorization was configured
- Select Authorization Rules and verify the configured rules were added
To verify an authorization rule specifying no access to all users except the Administrators
group, browse to and open the web.config file for the configured site/application/content: <configuration>
<system.webServer>
<security>
<authorization>
23 | P a g e
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="administrators" />
</authorization>
</security>
</system.webServer>
</configuration>
Remediation:
To configure URL Authorization at the server level using IIS Manager:
- Connect to Internet Information Services (IIS Manager)
- Select the server
- Select Authorization Rules
- Remove the "Allow All Users" rule
- Click Add Allow Rule…
- Allow access to the user(s), user groups, or roles that are authorized across all of the
web sites and applications (e.g. the Administrators group)
If the Answer is helpful, please click Accept Answer
and up-vote, this can be beneficial to other community members.