UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IIS 7.0 WEB SERVER STIG


Overview

Date Finding Count (24)
2017-12-21 CAT I (High): 5 CAT II (Med): 14 CAT III (Low): 5
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-13621 High All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
V-13591 High Classified web servers will be afforded physical security commensurate with the classification of its content.
V-6537 High Anonymous access accounts must be restricted.
V-2247 High Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities.
V-2246 High The web server must use a vendor-supported version of the web server software.
V-6754 Medium The use of Internet Printing Protocol (IPP) must be disabled on the IIS web server.
V-2234 Medium Public web server resources must not be shared with private assets.
V-2235 Medium The service account ID used to run the website must have its password changed at least annually.
V-2236 Medium Installation of compilers on production web servers is prohibited.
V-13700 Medium The File System Object component must be disabled.
V-2259 Medium Web server system files must conform to minimum file permission requirements.
V-6577 Medium A web server must not be co-hosted with other services.
V-2271 Medium Monitoring software must include CGI type files or equivalent programs.
V-2261 Medium A web server must limit e-mail to outbound only.
V-13672 Medium The private web server must use an approved DoD certificate validation process.
V-25999 Medium Unspecified file extensions must not be allowed to execute on the production web server.
V-2248 Medium Access to web administration tools must be restricted to the web manager and the web managers designees.
V-2243 Medium A private web server must be located on a separate controlled access subnet.
V-2242 Medium A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
V-2257 Low Administrative users and groups with access privilege to the web server must be documented.
V-2251 Low Programs and features not necessary for operations must be removed.
V-2265 Low Java software installed on the production web server must be limited to .class files and the Java Virtual Machine.
V-26006 Low A global authorization rule to restrict access must exist on the web server.
V-25994 Low Directory Browsing must be disabled on the production web server.