UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IIS 7.0 WEB SITE STIG



Findings (MAC I - Mission Critial Classified)

Finding ID Severity Title
V-2267 High Unapproved script mappings in IIS 7 must be removed.
V-2258 High Access to the web content and script directories must be restricted.
V-13713 High The application pool identity must be defined for each web-site.
V-2249 High Web server/site administration must be performed over a secure path.
V-13694 Medium Public web servers must use TLS if authentication is required.
V-6755 Medium Directory Browsing must be disabled.
V-13620 Medium A private web-site must utilize certificates from a trusted DoD CA.
V-13710 Medium An application pool’s pinging monitor must be enabled.
V-13705 Medium The maximum number of requests an application pool can process must be set.
V-13704 Medium The application pool must have a recycle time set.
V-13707 Medium The amount of private memory an application pool uses must be set.
V-26034 Medium The production web-site must configure the Global .NET Trust Level.
V-13703 Medium The website must have a unique application pool.
V-13706 Medium The amount of virtual memory an application pool uses must be set.
V-2252 Medium Only auditors, SAs or web administrators may access web server log files.
V-13708 Medium The Idle Timeout monitor must be enabled.
V-2250 Medium Web-site logging must be enabled.
V-13709 Medium The maximum queue length for HTTP.sys must be managed.
V-6531 Medium A private web-sites authentication mechanism must use client certificates.
V-13688 Medium Log files must consist of the required data fields.
V-3333 Medium The web document (home) directory must be in a separate partition from the web server’s system files.
V-13689 Medium Access to the web-site log files must be restricted.
V-2228 Medium All interactive programs must be placed in unique designated folders.
V-2263 Medium A private web server must have a valid server certificate.
V-26042 Medium The production web-site must limit the MaxURL.
V-26043 Medium The production web-site must configure the Maximum Query String limit.
V-2229 Medium All interactive programs must have restrictive access controls.
V-26041 Medium The web-site must limit the number of bytes accepted in a request.
V-26046 Medium The production web-site must filter unlisted file extensions in URL requests.
V-2262 Medium A private web server must utilize TLS v 1.0 or greater.
V-26044 Medium The web-site must not allow non-ASCII characters in URLs.
V-26045 Medium The web-site must not allow double encoded URL requests.
V-2226 Medium Web content directories must not be anonymously shared.
V-13712 Medium An application pool’s rapid fail protection settings must be managed.
V-26026 Medium The production web-site must utilize SHA1 encryption for Machine Key.
V-13711 Medium An application pool’s rapid fail protection must be enabled.
V-2240 Medium Web sites must limit the number of simultaneous requests.
V-15334 Low Web sites must utilize ports, protocols, and services according to PPSM guidelines.
V-26011 Low Debug must be turned off on a production website.
V-26031 Low The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients.
V-2230 Low Backup interactive scripts must be removed from the web site.
V-13702 Low The Content Location header must not contain proprietary IP addresses.
V-3963 Low Indexing Services must only index web content.
V-6724 Low All web-sites must be assigned a default Host header.
V-2260 Low A private web-site must not respond to requests from public search engines.
V-6373 Low The required DoD banner page must be displayed to authenticated users accessing a DoD private web-site.
V-2245 Low Each readable web document directory must contain a default, home, index, or equivalent document.