UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IIS 7.0 WEB SITE STIG


Overview

Date Finding Count (49)
2017-06-28 CAT I (High): 5 CAT II (Med): 35 CAT III (Low): 9
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-2267 High Unapproved script mappings in IIS 7 must be removed.
V-13686 High Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory.
V-2258 High Access to the web content and script directories must be restricted.
V-13713 High The application pool identity must be defined for each web-site.
V-2249 High Web server/site administration must be performed over a secure path.
V-13694 Medium Public web servers must use TLS if authentication is required.
V-6755 Medium Directory Browsing must be disabled.
V-13620 Medium A private web-site must utilize certificates from a trusted DoD CA.
V-13710 Medium An application pool’s pinging monitor must be enabled.
V-13705 Medium The maximum number of requests an application pool can process must be set.
V-13704 Medium The application pool must have a recycle time set.
V-13707 Medium The amount of private memory an application pool uses must be set.
V-13706 Medium The amount of virtual memory an application pool uses must be set.
V-13703 Medium The website must have a unique application pool.
V-2254 Medium Only web sites that have been fully reviewed and tested will exist on a production web server.
V-2252 Medium Only auditors, SAs or web administrators may access web server log files.
V-13708 Medium The Idle Timeout monitor must be enabled.
V-2250 Medium Web-site logging must be enabled.
V-13709 Medium The maximum queue length for HTTP.sys must be managed.
V-26034 Medium The production web-site must configure the Global .NET Trust Level.
V-6531 Medium A private web-sites authentication mechanism must use client certificates.
V-13688 Medium Log files must consist of the required data fields.
V-3333 Medium The web document (home) directory must be in a separate partition from the web server’s system files.
V-13689 Medium Access to the web-site log files must be restricted.
V-2228 Medium All interactive programs must be placed in unique designated folders.
V-2263 Medium A private web server must have a valid server certificate.
V-26042 Medium The production web-site must limit the MaxURL.
V-26043 Medium The production web-site must configure the Maximum Query String limit.
V-2229 Medium All interactive programs must have restrictive access controls.
V-26041 Medium The web-site must limit the number of bytes accepted in a request.
V-26046 Medium The production web-site must filter unlisted file extensions in URL requests.
V-2262 Medium A private web server must utilize an approved TLS version.
V-26044 Medium The web-site must not allow non-ASCII characters in URLs.
V-2260 Medium A web site must not contain a robots.txt file.
V-26045 Medium The web-site must not allow double encoded URL requests.
V-2226 Medium Web content directories must not be anonymously shared.
V-13712 Medium An application pool’s rapid fail protection settings must be managed.
V-26026 Medium The production web-site must utilize SHA2 encryption for Machine Key.
V-13711 Medium An application pool’s rapid fail protection must be enabled.
V-2240 Medium Web sites must limit the number of simultaneous requests.
V-15334 Low Web sites must utilize ports, protocols, and services according to PPSM guidelines.
V-26011 Low Debug must be turned off on a production website.
V-26031 Low The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients.
V-2230 Low Backup interactive scripts must be removed from the web site.
V-13702 Low The Content Location header must not contain proprietary IP addresses.
V-3963 Low Indexing Services must only index web content.
V-6724 Low All web-sites must be assigned a default Host header.
V-6373 Low The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-2245 Low Each readable web document directory must contain a default, home, index, or equivalent document.