The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-218827	IIST-SV-000205	SV-218827r561041_rule		Low

Description
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Whitelist". If the browser does not support HSTS, it will be ignored.

STIG	Date
Microsoft IIS 10.0 Server Security Technical Implementation Guide	2020-09-25

Details

Check Text ( C-20299r505285_chk )
Access the IIS 10.0 Web Server. Open IIS Manager. In the "Connections" pane, select the server name. In the "Features View" pane, open "HTTP Response Headers". Verify an entry exists named "Strict-Transport-Security". Open "Strict-Transport-Security" and verify the value box contains a value greater than 0. Click "OK". If HSTS has not been enabled, this is a finding. The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding. If the version of Windows Server does not natively support HSTS, this is not a finding.

Check Text ( C-20299r505285_chk )

Access the IIS 10.0 Web Server.

Open IIS Manager.

In the "Connections" pane, select the server name.

In the "Features View" pane, open "HTTP Response Headers".

Verify an entry exists named "Strict-Transport-Security".

Open "Strict-Transport-Security" and verify the value box contains a value greater than 0.

Click "OK".

If HSTS has not been enabled, this is a finding.
The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding.
If the version of Windows Server does not natively support HSTS, this is not a finding.

Fix Text (F-20297r505286_fix)
Access the IIS 10.0 Web Server. Access an administrative command prompt and type the following commands, substituting proper domain name: %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.enabled:True" /commit:apphost %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.max-age:480" /commit:apphost %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.includeSubDomains:True" /commit:apphost %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.redirectHttpToHttps:True" /commit:apphost

Fix Text (F-20297r505286_fix)

Access the IIS 10.0 Web Server.

Access an administrative command prompt and type the following commands, substituting proper domain name:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.enabled:True" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.max-age:480" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.includeSubDomains:True" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.redirectHttpToHttps:True" /commit:apphost