UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IIS6 Server



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-13698 High The IISADMPWD directory must be removed from the Web server.
V-13621 High All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
V-13701 High The command shell options must be disabled.
V-6537 High Anonymous access accounts must be restricted.
V-2247 High Non-administrators must not be allowed access to the directory tree, the shell, or other operating system functions and utilities.
V-2246 High The web server must use a vendor-supported version of the web server software.
V-13591 High Classified web servers must be afforded physical security commensurate with the classification of its content.
V-6754 Medium The IIS Internet Printing Protocol must be disabled.
V-2234 Medium Public web server resources must not be shared with private assets.
V-2235 Medium The service account ID used to run the web service must have its password changed at least annually.
V-2236 Medium A compiler must not be installed on a production web server.
V-2232 Medium The web server service password(s) must be entrusted to the SA or Web Manager.
V-13700 Medium The File System Object component, if not required, must be disabled.
V-2259 Medium Web server system files must conform to minimum file permission requirements.
V-6577 Medium A web server must not be co-hosted with other services
V-13722 Medium The UrlSegmentMaxCount registry entry must be set properly.
V-13721 Medium The UriMaxUriBytes registry entry must be set properly.
V-13720 Medium The PercentUAllowed registry entry must be set properly.
V-2271 Medium Monitoring software must include CGI type files or equivalent programs.
V-2264 Medium Wscript.exe and Cscript.exe must not be accessible by users other than the SA and Web Manager.
V-2261 Medium A public web server must limit e-mail to outbound only.
V-2248 Medium Access to web administration tools must be restricted to the Web Manager and the Web Manager’s designees.
V-13716 Medium The FavorUTF8 registry key must be set properly.
V-13717 Medium The MaxFieldLength registry entry must be set properly.
V-13714 Medium The AllowRestrictedChars registry key must be disabled.
V-13715 Medium The EnableNonUTF8 registry key must be disabled.
V-13718 Medium The MaxRequestBytes registry entry must be set properly.
V-13719 Medium The UrlSegmentMaxLength registry entry must be set properly.
V-13613 Medium The site software used with the web server must have all applicable security patches applied and documented.
V-2243 Medium A private web server must be located on a separate controlled access subnet.
V-2242 Medium A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
V-6485 Low Web server content and configuration files must be part of a routine backup program.
V-2257 Low Administrative users and groups with access privilege to the web server must be documented.
V-2251 Low Programs and features not necessary for operations must be removed.
V-6724 Low Web server and/or operating system information must be protected.