| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-218802 | CAT I | MONT-MB-002 | Microsoft IIS 10.0 Server Security Techn... | IIS 10.0 Web server accounts accessing the directo... | - | |||
Check TextObtain a list of the user accounts with access to the system, including all local and domain accounts. Review the privileges to the web server for each account. Verify with the system administrator or the ISSO that all privileged accounts are mission essential and documented. Verify with the system administrator or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented. If undocumented privileged accounts are found, this is a finding. If undocumented non-administrator access to shell scripts and operating system functions are found, this is a finding. If this IIS 10 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable. Fix TextEnsure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities. All non-administrator access to shell scripts and operating system functions must be mission essential and documented. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 624D7AD7D647B59D79BA27D736EAFE3764D6EA5B ~~~~~ Below is a list of local groups and their members (if any): Group: Access Control Assistance Operators Group: Administrators SHB_Admin DOD_Admin Domain Admins Organization Management Exchange Trusted Subsystem Group: Backup Operators Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests SHB_Visitor Group: Hyper-V Administrators Group: IIS_IUSRS Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group DefaultAccount Group: Users INTERACTIVE Authenticated Users Domain Users
Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_IIS10Server_V3R4_20251023-152431.ckl
Scan Date: 2026-01-14T12:57:32.874734
Technology Area: Web Review
|
||||||||
| V-218802 | CAT I | MONT-DP-001 | Microsoft IIS 10.0 Server Security Techn... | IIS 10.0 Web server accounts accessing the directo... | - | |||
Check TextObtain a list of the user accounts with access to the system, including all local and domain accounts. Review the privileges to the web server for each account. Verify with the system administrator or the ISSO that all privileged accounts are mission essential and documented. Verify with the system administrator or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented. If undocumented privileged accounts are found, this is a finding. If undocumented non-administrator access to shell scripts and operating system functions are found, this is a finding. If this IIS 10 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable. Fix TextEnsure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities. All non-administrator access to shell scripts and operating system functions must be mission essential and documented. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: D895FC94452D188206C29C53687CC2115A1A7E8B ~~~~~ Below is a list of local groups and their members (if any): Group: Access Control Assistance Operators Group: Administrators X_Admin DOD_Admin Server Administrator Group Group: Backup Operators Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests Visitor Group: Hyper-V Administrators Group: IIS_IUSRS Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group DefaultAccount Group: Users INTERACTIVE Authenticated Users Domain Users Group: ConfigMgr Remote Control Users Commentsdocumentation
Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_IIS10Server_V3R4_20251023-143809.ckl
Scan Date: 2026-01-14T12:57:35.201603
Technology Area: Web Review
|
||||||||