UCF STIG Viewer Logo

IIS6 Site

Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-13699 High The IIS web site permissions "Write" or "Script Source" must not be selected.
V-13713 High A unique non-privileged account must be used to run Worker Process Identities.
V-13686 High Web Administrators must secure encrypted connections for Document Root directory uploads.
V-2258 High The web client account access to the content and scripts directories must be limited to read and execute.
V-2267 High Unused and vulnerable script mappings in IIS 6 must be removed.
V-6755 Medium Directory browsing must be disabled.
V-2268 Medium The IUSR_machinename account must not have read access to the .inc files or their equivalent.
V-13620 Medium A private web site must utilize certificates from a trusted DoD CA.
V-13705 Medium The maximum number of requests an application pool can process must be set.
V-13704 Medium The Recycle Worker processes in minutes monitor must be set properly.
V-13707 Medium The maximum used memory monitor must be enabled.
V-13706 Medium The maximum virtual memory monitor must be enabled.
V-13703 Medium The web site must have a unique application pool.
V-2270 Medium Anonymous FTP users must not have access to interactive scripts.
V-2272 Medium PERL scripts must use the TAINT option.
V-2252 Medium Users other than Auditors group must not have greater than read access to log files.
V-13708 Medium The Shutdown worker processes Idle Timeout monitor must be enabled.
V-2250 Medium Logs of web server access and errors must be established and maintained.
V-13723 Medium The MaxRequestEntityAllowed metabase value must be defined.
V-6531 Medium A private web sites authentication mechanism must use client certificates.
V-13688 Medium Log file data must contain required data elements.
V-13689 Medium Access to the web site log files must be restricted.
V-3333 Medium The web document (home) directory must be on a separate partition from the web servers system files.
V-2254 Medium Only fully reviewed and tested web sites must exist on a production web server.
V-2263 Medium A private web server must have a valid server certificate.
V-2262 Medium A private web server must utilize an approved TLS version.
V-2260 Medium A web site must not contain a robots.txt file.
V-13709 Medium The Limit the kernel request queue monitor must be enabled
V-2226 Medium Web content directories must not be anonymously shared.
V-13672 Medium The private web server must use an approved DoD certificate validation process.
V-13712 Medium The Enable rapid-fail time period monitor must be enabled.
V-2229 Medium Interactive scripts must have proper access controls.
V-13710 Medium The Enable pinging monitor must be enabled.
V-13711 Medium The Enable rapid-fail protection monitor must be enabled.
V-2245 Medium Each readable web document directory must contain a default, home, index or equivalent file.
V-2240 Medium Web sites must limit the number of simultaneous requests.
V-2230 Low Backup interactive scripts must be removed from the web site.
V-13702 Low The Content Location header must not contain proprietary IP addresses.
V-2265 Low Java software installed on the web server must be limited to class files and the JAVA virtual machine.
V-6373 Low The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-3963 Low Indexing Services must only index web content.