5.2 Ensure Advanced IIS logging is enabled

Information

IIS Advanced Logging is a module which provides flexibility in logging requests and client data. It provides controls that allow businesses to specify what fields are important, easily add additional fields, and provide policies pertaining to log file rollover and Request Filtering. HTTP request/response headers, server variables, and client-side fields can be easily logged with minor configuration in the IIS management console. It is recommended that Advanced Logging be enabled, and the fields which could be of value to the type of business or application in the event of a security incident, be identified and logged.

Many of the fields available in Advanced Logging many can provide extensive, real-time data and details not otherwise obtainable. Developers and security professionals can use this information to identify and remediate application vulnerabilities/attack patterns.

Solution

IIS Advanced Logging can be configured for servers, Web sites, and directories in IIS Manager. To enable Advanced Logging using the UI:
1. Open Internet Information Services (IIS) Manager
2. Click the server in the Connections pane
3. Double-click the Advanced Logging icon on the Home page
4. Click Enable Advanced Logging in the Actions pane
The fields that will be logged need to be configured using the Edit Logging Fields action. As with IIS's standard log files, their location should be changed.

Note: There may be performance considerations depending on the extent of the configuration. Advanced logging requires installation using Web Platform Installer or manually form the download link in the References section.

See Also

https://workbench.cisecurity.org/files/166

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Windows

Control ID: fcc1207bb29a3e63c855579301c7c9e356a789cb7b7291c230b47990132e03bb