A web server must not be co-hosted with other services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6577	WG204 IIS7	SV-32643r2_rule	DCPA-1	Medium

Description
A detailed web server installation and configuration plan should be followed to provide standardization during the installation process. The installation and configuration plan should not support the co-hosting of multiple services, such as, Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publishing service. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system supporting a web server will not provide other services (e.g., domain controller, email server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any unnecessary services or protocols should be removed.

Description

A detailed web server installation and configuration plan should be followed to provide standardization during the installation process. The installation and configuration plan should not support the co-hosting of multiple services, such as, Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publishing service. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system supporting a web server will not provide other services (e.g., domain controller, email server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any unnecessary services or protocols should be removed.

STIG	Date
IIS 7.0 WEB SERVER STIG	2016-02-11

Details

Check Text ( C-29993r1_chk )
Request a copy of and review the web server’s installation and configuration plan. Ensure the server is in compliance with this plan. If the server is not in compliance with the plan, this is a finding.

Fix Text (F-26852r1_fix)
Remove any services or applications that are not required.