There is a rule 2.1 (L1) Ensure 'global authorization rule' is set to restrict access in CIS Microsoft IIS 10 Benchmark.
Can I set the allowed users to an AD group to restrict access to only this AD group
But after I configure it, the site cannot be accessed. Can I know how to configure to match this item, or is this item not applicable to SharePoint?
The steps mentioned in CIS are as follows:
To configure URL Authorization at the server level using IIS Manager:
1. Connect to Internet Information Services (IIS Manager)
2. Select the server
3. Select Authorization Rules
4. Remove the "Allow All Users" rule
5. Click Add Allow Rule...
6. Allow access to the user(s), user groups, or roles that are authorized across all of the web sites and applications (e.g. the Administrators group)
CIS 2.1 rule:
2.1 (L1) Ensure 'global authorization rule' is set to restrict access (Not Scored)
Profile Applicability:
Level1-IIS10 Description:
IIS introduced URL Authorization, which allows the addition of Authorization rules to the actual URL, instead of the underlying file system resource, as a way to protect it. Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. The native URL Authorization module applies to all requests, whether they are .NET managed or other types of files (e.g. static files or ASP files). It is recommended that URL Authorization be configured to only grant access to the necessary security principals.
Rationale:
Configuring a global Authorization rule that restricts access will ensure inheritance of the settings down through the hierarchy of web directories; if that content is copied elsewhere, the authorization rules flow with it. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of accidental or unauthorized access.
