Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-100189 | IIST-SV-000205 | SV-109293r1_rule | Low |
Description |
---|
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Whitelist". If the browser does not support HSTS, it will be ignored. |
STIG | Date |
---|---|
Microsoft IIS 10.0 Server Security Technical Implementation Guide | 2020-06-08 |
Check Text ( C-99043r1_chk ) |
---|
Access the IIS 10.0 Web Server. Open IIS Manager. In the "Connections" pane, select the server name. In the "Features View" pane, open "HTTP Response Headers". Verify an entry exists named "Strict-Transport-Security". Open "Strict-Transport-Security" and verify the value box contains a value greater than 0. Click "OK". If HSTS has not been enabled, this is a finding. The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding. If the version of Windows Server does not natively support HSTS, this is not a finding. |
Fix Text (F-105875r1_fix) |
---|
Access the IIS 10.0 Web Server. Access an administrative command prompt and type the following commands, substituting proper domain name: %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.enabled:True" /commit:apphost %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.max-age:480" /commit:apphost %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.includeSubDomains:True" /commit:apphost %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.redirectHttpToHttps:True" /commit:apphost |