UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IIS 8.5 Site Security Technical Implementation Guide


Overview

Date Finding Count (56)
2018-04-06 CAT I (High): 1 CAT II (Med): 55 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-76811 High Anonymous IIS 8.5 website access accounts must be restricted.
V-76873 Medium The application pool for each IIS 8.5 website must have a recycle time explicitly set.
V-76871 Medium The amount of private memory an application pool uses for each IIS 8.5 website must be explicitly set.
V-76877 Medium The application pools pinging monitor for each IIS 8.5 website must be enabled.
V-76875 Medium The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured.
V-76801 Medium The IIS 8.5 website must have resource mappings set to disable the serving of certain file types.
V-76839 Medium The Idle Time-out monitor for each IIS 8.5 website must be enabled.
V-76891 Medium The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-76815 Medium The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files.
V-76817 Medium The IIS 8.5 website must be configured to limit the maxURL.
V-76813 Medium The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced.
V-76837 Medium Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.
V-76835 Medium Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths.
V-76855 Medium IIS 8.5 website session IDs must be sent to the client using TLS.
V-76831 Medium The IIS 8.5 website must prevent a web content directory from being displayed.
V-76819 Medium The IIS 8.5 website must be configured to limit the size of web requests.
V-76789 Medium The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events.
V-76823 Medium Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website.
V-76809 Medium A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.
V-76781 Medium A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.
V-76783 Medium The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session.
V-76851 Medium The IIS 8.5 website must employ cryptographic mechanisms (TLS) preventing the unauthorized disclosure of information, user identifies and passwords during transmission. and at rest.
V-76785 Medium Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.
V-76787 Medium An IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information.
V-76865 Medium The IIS 8.5 website must have a unique application pool.
V-76867 Medium The maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set.
V-76879 Medium The application pools rapid fail protection for each IIS 8.5 website must be enabled.
V-76861 Medium The IIS 8.5 website must maintain the confidentiality and integrity of information during preparation for transmission and during reception.
V-76889 Medium Backup interactive scripts on the IIS 8.5 server must be removed.
V-76887 Medium Interactive scripts on the IIS 8.5 web server must have restrictive access controls.
V-76869 Medium The amount of virtual memory an application pool uses for each IIS 8.5 website must be explicitly set.
V-76885 Medium Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders.
V-76883 Medium The Content Location header on the IIS 8.5 website must not contain proprietary IP addresses.
V-76881 Medium The application pools rapid fail protection settings for each IIS 8.5 website must be managed.
V-76807 Medium Each IIS 8.5 website must be assigned a default host header.
V-76849 Medium The IIS 8.5 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-76803 Medium The IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
V-76827 Medium Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website.
V-76843 Medium The IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-76841 Medium The IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
V-76847 Medium The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines.
V-76845 Medium The IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website.
V-76779 Medium A private IIS 8.5 website must only accept Secure Socket Layer connections.
V-76821 Medium The IIS 8.5 websites Maximum Query String limit must be configured.
V-76859 Medium Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed.
V-76829 Medium Directory Browsing on the IIS 8.5 website must be disabled.
V-76773 Medium The IIS 8.5 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests.
V-76775 Medium The IIS 8.5 website session state must be enabled.
V-76805 Medium The production website must configure the Global .NET Trust Level.
V-76777 Medium The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.
V-76799 Medium Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed.
V-76793 Medium The log information from the IIS 8.5 website must be protected from unauthorized modification.
V-76825 Medium Double encoded URL requests must be prohibited by any IIS 8.5 website.
V-76791 Medium The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-76797 Medium The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-76795 Medium The log information from the IIS 8.5 website must be protected from unauthorized deletion.