The Internet Printing Protocol (IPP) must be disabled on the IIS 10.0 web server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-218818	IIST-SV-000149	SV-218818r561041_rule		Medium

Description
The use of IPP on an IIS web server allows client access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, since IPP does not support SSL, it is considered a risk and will not be deployed.

STIG	Date
Microsoft IIS 10.0 Server Security Technical Implementation Guide	2020-09-25

Details

Check Text ( C-20290r310929_chk )
If the Print Services role and the Internet Printing role are not installed, this check is Not Applicable. Navigate to the following directory: %windir%\web\printers If this folder exists, this is a finding. Determine whether Internet Printing is enabled: Click “Start”, click “Administrative Tools”, and then click “Server Manager”. Expand the roles node, right-click “Print Services”, and then select “Remove Roles Services”. If the Internet Printing option is enabled, this is a finding.

Check Text ( C-20290r310929_chk )

If the Print Services role and the Internet Printing role are not installed, this check is Not Applicable.

Navigate to the following directory:

%windir%\web\printers

If this folder exists, this is a finding.

Determine whether Internet Printing is enabled:

Click “Start”, click “Administrative Tools”, and then click “Server Manager”.

Expand the roles node, right-click “Print Services”, and then select “Remove Roles Services”.

If the Internet Printing option is enabled, this is a finding.

Fix Text (F-20288r310930_fix)
Click “Start”, click “Administrative Tools”, and then click “Server Manager”. Expand the roles node, right-click “Print Services”, and then select “Remove Roles Services”. If the Internet Printing option is checked, clear the check box, click “Next”, and then click “Remove” to complete the wizard.