AUDIT_IIS_APPCMD

This check is run appcmd.exe on a server running IIS, along with the arguments specified using appcmd_args, and determines compliance by comparing the output with value_data. In some cases (e.g., listing configuration) it may be desired to just report the command output. For such cases only_show_cmd_output should be used.

This check is only applicable for Internet Information Services (IIS) version 7 and greater on Windows.

Usage

<custom_item>

type: AUDIT_IIS_APPCMD

description: "Test appcmd output"

value_type: [value_type]

value_data: [value]

appcmd_args: ["arguments for appcmd.exe"]

(optional) only_show_cmd_output: YES or NO

(optional) check_type: [CHECK_TYPE]

(optional) severity: ["HIGH" or "MEDIUM" or "LOW"]

(optional) appcmd_list: ["arguments for appcmd.exe to list multiple objects"]

(optional) appcmd_filter: ["arguments for appcmd.exe to filter"]

(optional) appcmd_filter_value: ["filter value"]

</custom_item>

This item uses the field appcmd_args to specify the arguments that need to be supplied to appcmd.exe. Currently only “list” commands can be specified.

  • list sites
  • list AppPools /processModel.identityType:ApplicationPoolIdentity
  • list config
  • list config -section:system.web/authentication
  • list app

The item uses optional field only_show_cmd_output if the entire command output needs to be reported.

There are additional optional fields available to help check configurations on multiple objects in the web server configuration, and each one is a separate execution of appcmd.exe.

The appcmd_list is an appcmd.exe execution that will generate a list of objects that the appcmd_args will act upon. If appcmd_list is used, then you will put a placeholder of {} in appcmd_args where the object instance name will be inserted.

An example of this to check the sslFlags for each site in the web server would be:

appcmd_list:

appcmd_list: "list sites"

appcmd_args: "list config {} /section:access /text:sslFlags"

Other optional fields with appcmd_list are appcmd_filter and appcmd_filter_value, which can be used to filter the list of objects to specific instances.

An example of the relation of the filter fields are would be to check sslFlags on web sites with https bindings only:

appcmd_filter: 'list sites {} /text:bindings'

appcmd_filter_value: 'https'

appcmd_list: 'list sites'

appcmd_args: 'list config {} /section:access /text:sslFlags'

Examples

This check compares the result of appcmd.exe list AppPools /processModel.identityType:ApplicationPoolIdentity with value_data, and passes only if the output contains APPPOOL DefaultAppPool.

<custom_item>

type: AUDIT_IIS_APPCMD

description: "Set Default Application Pool Identity to Least Privilege Principal"

value_type: POLICY_TEXT

value_data: 'APPPOOL "DefaultAppPool"'

appcmd_args: "list AppPools /processModel.identityType:ApplicationPoolIdentity"

check_type: CHECK_REGEX

</custom_item>

This example checks all application pools to verify that the pool identity is set to ApplicationPoolIdentity.

<custom_item>

type: AUDIT_IIS_APPCMD

description: "All application pools have identity type of ApplicationPoolIdentity"

value_type: POLICY_TEXT

value_data: '^ApplicationPoolIdentity$'

appcmd_list: 'list AppPools'

appcmd_args: 'list AppPools {} /text:processModel.identityType'

check_type: CHECK_REGEX

</custom_item>

This example checks the sslFlags of all sites with https bindings to check for SSL Required.

<custom_item>

type: AUDIT_IIS_APPCMD

description: "Ssl Flags that start with 'Ssl,'"

value_type: POLICY_TEXT

value_data: "^Ssl(,|$)"

appcmd_filter: "list sites {} /text:bindings"

appcmd_filter_value: "https"

appcmd_list: "list sites"

appcmd_args: "list config {} /section:access /text:sslFlags"

check_type: CHECK_REGEX

</custom_item>