The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-218827	IIST-SV-000205	SV-218827r695271_rule		Low

Description
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored.

STIG	Date
Microsoft IIS 10.0 Server Security Technical Implementation Guide	2021-06-23

Details

Check Text ( C-20299r695269_chk )
Access the IIS 10.0 Web Server. Open IIS Manager. Click the IIS 10.0 web server name. Click on HSTS. Verify “Enable” is checked, and Max-Age is set to something other than “0”. Verify “IncludeSubDomains” and “Redirect HTTP to HTTPS” are checked. Click "OK". If HSTS has not been enabled, this is a finding. If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable. The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding. If the version of Windows Server does not natively support HSTS, this is not a finding.

Check Text ( C-20299r695269_chk )

Access the IIS 10.0 Web Server.

Open IIS Manager.

Click the IIS 10.0 web server name.

Click on HSTS.

Verify “Enable” is checked, and Max-Age is set to something other than “0”.

Verify “IncludeSubDomains” and “Redirect HTTP to HTTPS” are checked.

Click "OK".

If HSTS has not been enabled, this is a finding.

If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable.

The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding.

If the version of Windows Server does not natively support HSTS, this is not a finding.

Fix Text (F-20297r695270_fix)
Enable HSTS via IIS Manager or Powershell.