Back

Disable IIS admin service unless IIS admin service use is absolutely necessary.


CONTROL ID
01817
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The IIS Admin Service manages all of the other IIS programs. If this service is disabled, then all of the services under the IIS will not function. This service should be Disabled. The permissions on this service should also be Administrator: Full Control; System: Read, Start, Stop, and Pause. (§ 4.1.6, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • IIS Admin Service manages all of the other IIS services. If it is not running, then none of the IIS services will be functioning. Disable this service. (§ 4.1.6, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • The organization must only enable IIS Admin Service if absolutely necessary. If this service is not running, the other services that are part of the IIS suite will not function either. Disable this service. If possible, this should be removed from workstations. (§ 4.1.8, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • Table F-1: For Windows 2000 Server, the organization must configure the permissions for IIS Admin Service to Administrators: Full Control; System: Read; and System: Start, Stop, and Pause. Table F-2: For Windows 2003 Server, the organization must configure the permissions for IIS Admin Service (IISA… (Table F-1, Table F-2, Table F-3, Table F-4, CMS Business Partners Systems Security Manual, Rev. 10)
  • The IIS Admin Service should be disabled. The service should be documented if enabling it is required. (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The IIS Admin Service should be Disabled, unless absolutely necessary. If it is Enabled, there should be a documented and justified reason. (§ 5.2.2.1, § 5.10.2.2, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • For all Windows XP environments, this service should be Disabled. (§ 6.5, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • This service controls the administration of IIS components. IIS components include FTP, Web sites, and Applications Pools. If this service is Disabled, users will not be able to run Web sites or FTP sites from their computers. The IIS Admin service should be Disabled. (Pg 68, NSA Guide to Security Microsoft Windows XP)