Cookies exchanged between the IIS 8.5 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-76859	IISW-SI-000246	SV-91555r1_rule		Medium

Description
A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155

Description

A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155

STIG	Date
IIS 8.5 Site Security Technical Implementation Guide	2018-01-03

Details

Check Text ( C-76515r1_chk )
Follow the procedures below for each site hosted on the IIS 8.5 web server: Access the IIS 8.5 Manager. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.web/httpCookies". Verify the "require SSL" is set to "True". From the "Section:" drop-down list, select "system.web/sessionState". Verify the "compressionEnabled" is set to "False". If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding.

Check Text ( C-76515r1_chk )

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Access the IIS 8.5 Manager.

Under "Management" section, double-click the "Configuration Editor" icon.

From the "Section:" drop-down list, select "system.web/httpCookies".

Verify the "require SSL" is set to "True".

From the "Section:" drop-down list, select "system.web/sessionState".

Verify the "compressionEnabled" is set to "False".

If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding.

Fix Text (F-83555r1_fix)
Follow the procedures below for each site hosted on the IIS 8.5 web server: Access the IIS 8.5 Manager. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.web/httpCookies". Set the "require SSL" to "True". From the "Section:" drop-down list, select "system.web/sessionState". Set the "compressionEnabled" to "False". Select "Apply" from the "Actions" pane.

Fix Text (F-83555r1_fix)

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Access the IIS 8.5 Manager.

Under "Management" section, double-click the "Configuration Editor" icon.

From the "Section:" drop-down list, select "system.web/httpCookies".

Set the "require SSL" to "True".

From the "Section:" drop-down list, select "system.web/sessionState".

Set the "compressionEnabled" to "False".

Select "Apply" from the "Actions" pane.