UCF STIG Viewer Logo

IIS 7.0 Server STIG


Date Finding Count (24)
2019-05-01 CAT I (High): 5 CAT II (Med): 14 CAT III (Low): 5
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-13621 High All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
V-13591 High Classified web servers will be afforded physical security commensurate with the classification of its content.
V-6537 High Anonymous access accounts must be restricted.
V-2247 High Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities.
V-2246 High The web server must use a vendor-supported version of the web server software.
V-6754 Medium The use of Internet Printing Protocol (IPP) must be disabled on the IIS web server.
V-2234 Medium Public web server resources must not be shared with private assets.
V-2235 Medium The service account ID used to run the website must have its password changed at least annually.
V-2236 Medium Installation of compilers on production web servers is prohibited.
V-13700 Medium The File System Object component must be disabled.
V-2259 Medium Web server system files must conform to minimum file permission requirements.
V-6577 Medium A web server must not be co-hosted with other services.
V-2271 Medium Monitoring software must include CGI type files or equivalent programs.
V-2261 Medium A web server must limit e-mail to outbound only.
V-13672 Medium The private web server must use an approved DoD certificate validation process.
V-25999 Medium Unspecified file extensions must not be allowed to execute on the production web server.
V-2248 Medium Access to web administration tools must be restricted to the web manager and the web managers designees.
V-2243 Medium A private web server must be located on a separate controlled access subnet.
V-2242 Medium A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
V-2257 Low Administrative users and groups with access privilege to the web server must be documented.
V-2251 Low Programs and features not necessary for operations must be removed.
V-2265 Low Java software installed on the production web server must be limited to .class files and the Java Virtual Machine.
V-26006 Low A global authorization rule to restrict access must exist on the web server.
V-25994 Low Directory Browsing must be disabled on the production web server.