Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-76859 | IISW-SI-000246 | SV-91555r1_rule | Medium |
Description |
---|
A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155 |
STIG | Date |
---|---|
IIS 8.5 Site Security Technical Implementation Guide | 2018-01-03 |
Check Text ( C-76515r1_chk ) |
---|
Follow the procedures below for each site hosted on the IIS 8.5 web server: Access the IIS 8.5 Manager. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.web/httpCookies". Verify the "require SSL" is set to "True". From the "Section:" drop-down list, select "system.web/sessionState". Verify the "compressionEnabled" is set to "False". If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding. |
Fix Text (F-83555r1_fix) |
---|
Follow the procedures below for each site hosted on the IIS 8.5 web server: Access the IIS 8.5 Manager. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.web/httpCookies". Set the "require SSL" to "True". From the "Section:" drop-down list, select "system.web/sessionState". Set the "compressionEnabled" to "False". Select "Apply" from the "Actions" pane. |