UCF STIG Viewer Logo

IIS 7.0 Site STIG


Date Finding Count (48)
2019-05-15 CAT I (High): 5 CAT II (Med): 34 CAT III (Low): 9
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-2267 High Unapproved script mappings in IIS 7 must be removed.
V-13686 High Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory.
V-2258 High Access to the web content and script directories must be restricted.
V-13713 High The application pool identity must be defined for each web-site.
V-2249 High Web server/site administration must be performed over a secure path.
V-13694 Medium Public web servers must use TLS if authentication is required.
V-6755 Medium Directory Browsing must be disabled.
V-13620 Medium A private web-site must utilize certificates from a trusted DoD CA.
V-13710 Medium An application pool’s pinging monitor must be enabled.
V-13705 Medium The maximum number of requests an application pool can process must be set.
V-13704 Medium The application pool must have a recycle time set.
V-13707 Medium The amount of private memory an application pool uses must be set.
V-13706 Medium The amount of virtual memory an application pool uses must be set.
V-13703 Medium The website must have a unique application pool.
V-2254 Medium Only web sites that have been fully reviewed and tested will exist on a production web server.
V-13709 Medium The maximum queue length for HTTP.sys must be managed.
V-13708 Medium The Idle Timeout monitor must be enabled.
V-2250 Medium Web-site logging must be enabled.
V-26034 Medium The production web-site must configure the Global .NET Trust Level.
V-6531 Medium A private web-sites authentication mechanism must use client certificates.
V-13688 Medium Log files must consist of the required data fields.
V-3333 Medium The web document (home) directory must be in a separate partition from the web server’s system files.
V-13689 Medium Access to the web-site log files must be restricted.
V-2228 Medium All interactive programs must be placed in unique designated folders.
V-2263 Medium A private web server must have a valid server certificate.
V-26042 Medium The production web-site must limit the MaxURL.
V-26043 Medium The production web-site must configure the Maximum Query String limit.
V-2229 Medium All interactive programs must have restrictive access controls.
V-26041 Medium The web-site must limit the number of bytes accepted in a request.
V-26046 Medium The production web-site must filter unlisted file extensions in URL requests.
V-2262 Medium A private web server must utilize an approved TLS version.
V-26044 Medium The web-site must not allow non-ASCII characters in URLs.
V-2260 Medium A web site must not contain a robots.txt file.
V-26045 Medium The web-site must not allow double encoded URL requests.
V-2226 Medium Web content directories must not be anonymously shared.
V-13712 Medium An application pool’s rapid fail protection settings must be managed.
V-26026 Medium The production website must utilize SHA1 encryption for Machine Key.
V-13711 Medium An application pool’s rapid fail protection must be enabled.
V-2240 Medium Web sites must limit the number of simultaneous requests.
V-15334 Low Web sites must utilize ports, protocols, and services according to PPSM guidelines.
V-26011 Low Debug must be turned off on a production website.
V-26031 Low The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients.
V-2230 Low Backup interactive scripts must be removed from the web site.
V-13702 Low The Content Location header must not contain proprietary IP addresses.
V-3963 Low Indexing Services must only index web content.
V-6724 Low All web-sites must be assigned a default Host header.
V-6373 Low The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-2245 Low Each readable web document directory must contain a default, home, index, or equivalent document.