The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-218827 | IIST-SV-000205 | SV-218827r810855_rule | Low |
| Description |
|---|
| HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored. |
| STIG | Date |
|---|---|
| Microsoft IIS 10.0 Server Security Technical Implementation Guide | 2022-09-21 |
Details
| Check Text ( C-20299r810854_chk ) |
|---|
| Access the IIS 10.0 Web Server. Open IIS Manager. Click the IIS 10.0 web server name. Open on Configuration Editor under Management. For the Section, navigate to system.applicationHost/sites. Expand siteDefaults and HSTS. If enabled is not set to True, this is a finding. If includeSubDomains is not set to True, this is a finding. If max-age is not set to a value greater than 0, this is a finding. If redirectHttpToHttps is not True, this is a finding. If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable. If the version of Windows Server does not natively support HSTS, this is not a finding. |
| Fix Text (F-20297r802885_fix) |
|---|
| Using the Configuration Editor in the IIS Manager or Powershell: Enable HSTS. Set includeSubDomains to True. Set max-age to a value greater than 0. Set redirectHttpToHttps to True. |