UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).


Overview

Finding ID Version Rule ID IA Controls Severity
V-218827 IIST-SV-000205 SV-218827r561041_rule Low
Description
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Whitelist". If the browser does not support HSTS, it will be ignored.
STIG Date
Microsoft IIS 10.0 Server Security Technical Implementation Guide 2020-09-25

Details

Check Text ( C-20299r505285_chk )
Access the IIS 10.0 Web Server.

Open IIS Manager.

In the "Connections" pane, select the server name.

In the "Features View" pane, open "HTTP Response Headers".

Verify an entry exists named "Strict-Transport-Security".

Open "Strict-Transport-Security" and verify the value box contains a value greater than 0.

Click "OK".

If HSTS has not been enabled, this is a finding.
The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding.
If the version of Windows Server does not natively support HSTS, this is not a finding.
Fix Text (F-20297r505286_fix)
Access the IIS 10.0 Web Server.

Access an administrative command prompt and type the following commands, substituting proper domain name:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.enabled:True" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.max-age:480" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.includeSubDomains:True" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.redirectHttpToHttps:True" /commit:apphost