UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IIS 7.0 WEB SERVER STIG



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-13621 High All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
V-13591 High Classified web servers will be afforded physical security commensurate with the classification of its content.
V-6537 High Anonymous access accounts must be restricted.
V-2247 High Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities.
V-2246 High The web server must use a vendor-supported version of the web server software.
V-6754 Medium The use of Internet Printing Protocol (IPP) must be disabled on the IIS web server.
V-2234 Medium Public web server resources must not be shared with private assets.
V-2235 Medium The service account ID used to run the web site must have its password changed at least annually.
V-2236 Medium Installation of compilers on production web servers is prohibited.
V-13700 Medium The File System Object component must be disabled.
V-2259 Medium Web server system files must conform to minimum file permission requirements.
V-6577 Medium A web server must not be co-hosted with other services.
V-2271 Medium Monitoring software must include CGI type files or equivalent programs.
V-2261 Medium A web server must limit e-mail to outbound only.
V-13672 Medium The private web server must use an approved DoD certificate validation process.
V-25999 Medium Unspecified file extensions must not be allowed to execute on the production web server.
V-2248 Medium Access to web administration tools must be restricted to the web manager and the web managers designees.
V-2243 Medium A private web server must be located on a separate controlled access subnet.
V-2242 Medium A public web server must be physically isolated in the enclave.
V-2257 Low Administrative users and groups with access privilege to the web server must be documented.
V-2251 Low Programs and features not necessary for operations must be removed.
V-2265 Low Java software installed on the production web server must be limited to .class files and the Java Virtual Machine.
V-26006 Low A global authorization rule to restrict access must exist on the web server.
V-25994 Low Directory Browsing must be disabled on the production web server.