Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-218827 | IIST-SV-000205 | SV-218827r810855_rule | Low |
Description |
---|
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored. |
STIG | Date |
---|---|
Microsoft IIS 10.0 Server Security Technical Implementation Guide | 2021-12-10 |
Check Text ( C-20299r810854_chk ) |
---|
Access the IIS 10.0 Web Server. Open IIS Manager. Click the IIS 10.0 web server name. Open on Configuration Editor under Management. For the Section, navigate to system.applicationHost/sites. Expand siteDefaults and HSTS. If enabled is not set to True, this is a finding. If includeSubDomains is not set to True, this is a finding. If max-age is not set to a value greater than 0, this is a finding. If redirectHttpToHttps is not True, this is a finding. If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable. If the version of Windows Server does not natively support HSTS, this is not a finding. |
Fix Text (F-20297r802885_fix) |
---|
Using the Configuration Editor in the IIS Manager or Powershell: Enable HSTS. Set includeSubDomains to True. Set max-age to a value greater than 0. Set redirectHttpToHttps to True. |