UCF STIG Viewer Logo

IIS 8.5 Site Security Technical Implementation Guide


Overview

Date Finding Count (56)
2018-04-06 CAT I (High): 1 CAT II (Med): 55 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-76811 High Anonymous IIS 8.5 website access accounts must be restricted.
V-76873 Medium The application pool for each IIS 8.5 website must have a recycle time explicitly set.
V-76871 Medium The amount of private memory an application pool uses for each IIS 8.5 website must be explicitly set.
V-76877 Medium The application pools pinging monitor for each IIS 8.5 website must be enabled.
V-76875 Medium The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured.
V-76801 Medium The IIS 8.5 website must have resource mappings set to disable the serving of certain file types.
V-76839 Medium The Idle Time-out monitor for each IIS 8.5 website must be enabled.
V-76891 Medium The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-76815 Medium The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files.
V-76817 Medium The IIS 8.5 website must be configured to limit the maxURL.
V-76813 Medium The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced.
V-76837 Medium Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.
V-76835 Medium Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths.
V-76855 Medium IIS 8.5 website session IDs must be sent to the client using TLS.
V-76831 Medium The IIS 8.5 website must prevent a web content directory from being displayed.
V-76819 Medium The IIS 8.5 website must be configured to limit the size of web requests.
V-76789 Medium The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events.
V-76823 Medium Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website.
V-76809 Medium A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.
V-76781 Medium A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.
V-76783 Medium The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session.
V-76851 Medium The IIS 8.5 website must employ cryptographic mechanisms (TLS) preventing the unauthorized disclosure of information, user identifies and passwords during transmission. and at rest.
V-76785 Medium Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.
V-76787 Medium An IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information.
V-76865 Medium The IIS 8.5 website must have a unique application pool.
V-76867 Medium The maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set.
V-76879 Medium The application pools rapid fail protection for each IIS 8.5 website must be enabled.
V-76861 Medium The IIS 8.5 website must maintain the confidentiality and integrity of information during preparation for transmission and during reception.
V-76889 Medium Backup interactive scripts on the IIS 8.5 server must be removed.
V-76887 Medium Interactive scripts on the IIS 8.5 web server must have restrictive access controls.
V-76869 Medium The amount of virtual memory an application pool uses for each IIS 8.5 website must be explicitly set.
V-76885 Medium Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders.
V-76883 Medium The Content Location header on the IIS 8.5 website must not contain proprietary IP addresses.
V-76881 Medium The application pools rapid fail protection settings for each IIS 8.5 website must be managed.
V-76807 Medium Each IIS 8.5 website must be assigned a default host header.
V-76849 Medium The IIS 8.5 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-76803 Medium The IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
V-76827 Medium Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website.
V-76843 Medium The IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-76841 Medium The IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
V-76847 Medium The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines.
V-76845 Medium The IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website.
V-76779 Medium A private IIS 8.5 website must only accept Secure Socket Layer connections.
V-76821 Medium The IIS 8.5 websites Maximum Query String limit must be configured.
V-76859 Medium Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed.
V-76829 Medium Directory Browsing on the IIS 8.5 website must be disabled.
V-76773 Medium The IIS 8.5 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests.
V-76775 Medium The IIS 8.5 website session state must be enabled.
V-76805 Medium The production website must configure the Global .NET Trust Level.
V-76777 Medium The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.
V-76799 Medium Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed.
V-76793 Medium The log information from the IIS 8.5 website must be protected from unauthorized modification.
V-76825 Medium Double encoded URL requests must be prohibited by any IIS 8.5 website.
V-76791 Medium The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-76797 Medium The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-76795 Medium The log information from the IIS 8.5 website must be protected from unauthorized deletion.