UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).


Overview

Finding ID Version Rule ID IA Controls Severity
V-218827 IIST-SV-000205 SV-218827r810855_rule Low
Description
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored.
STIG Date
Microsoft IIS 10.0 Server Security Technical Implementation Guide 2021-12-10

Details

Check Text ( C-20299r810854_chk )
Access the IIS 10.0 Web Server.
Open IIS Manager.
Click the IIS 10.0 web server name.
Open on Configuration Editor under Management.
For the Section, navigate to system.applicationHost/sites.
Expand siteDefaults and HSTS.
If enabled is not set to True, this is a finding.
If includeSubDomains is not set to True, this is a finding.
If max-age is not set to a value greater than 0, this is a finding.
If redirectHttpToHttps is not True, this is a finding.

If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable.

If the version of Windows Server does not natively support HSTS, this is not a finding.
Fix Text (F-20297r802885_fix)
Using the Configuration Editor in the IIS Manager or Powershell:
Enable HSTS.
Set includeSubDomains to True.
Set max-age to a value greater than 0.
Set redirectHttpToHttps to True.