Symantec Enterprise Security Manager - How to check if "Anonymous Authentication" is disabled on IIS 7 sites.
|Article:HOWTO83371|||||Created: 2013-01-17|||||Updated: 2013-01-22|||||Article URL http://www.symantec.com/docs/HOWTO83371|
This article explains how to check if "Anonymous Authentication" is disabled on IIS 7 sites.
It shows how to create an ESM template to check the changes in the applicationHost.config file that occur when enabling or disabling the Authentication settings in the IIS configuration. It also provides an ESM policy and corresponding template to download and import if you like (for Windows 2008 type targets). Please be aware that this was tested and documented with an ESM agent on SU42 (2011.09.01) and is known not to work as outlined below with SU39 (2010.03.01).
This is the setting we want to be reported on. When "Anonymous Authentication" is enabled and "Windows Authentication" is disabled we want it to flag a red message in ESM. This example only looks at these two settings i.e. it does not report on for instance "Basic Authentication".
What changes on the IIS server when changing these settinging?
IIS 7 keeps most of it's settings in the applicationHost.config file. This file is located by default in C:Windows\System32\inetsrv\configapplicationHost.config on a Windows 2008, IIS 7 based server.
This is the entry in applicationHost.config for the changes from the default - in the case for the Web Site "SomeSite" (and thus anonymous access is disabled and Windows Authentication is enabled.)
Fig 3: applicationHost.config entries
Creating a ESM template to check upon these settinging.
Within the ESM console there is a "branch" for templates, edit an existing or add a new "IIS 7.0 Settings - all" template. Once in the template editor, add the following row:
IIS Object Name: *
IIS Object Type: IIsWebServer
Comment: Authentication Settings.
Data Existence 1:
Attribute Name: anonymousAuthentication::enabled
Attribute Value: False
Comment: Anonymous Authentication must be set to False.
Data Existence 2:
Attribute Name: windowsAuthentication::enabled
Attribute Value: True
Comment: Windows Authentication must be set to True.
Fig 4: IIS7 template
If Anonymous Authentication is and WindowsAuthentication is not enabled, on any site (seen a we used *), it will show the following message within the ESM policy run results.
Fig 5: The ESM message within the ESM console seen as Anonymous Authentication is enabled for the "Default Web Site" but not for the "SomeSite" website.
Download Sample policy.
Here is a link to download a sample ESM policy for this check as shown in this article, the check in this policy is enabled for the WIN2008 platform.
If you're reading this article, you might be interested in the following article: How to check if "Enable Anonymous Access" is set on IIS 6 sites.
Article URL http://www.symantec.com/docs/HOWTO83371