Each IIS 10.0 website must be assigned a default host header.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-100217	IIST-SI-000219	SV-109321r1_rule		Medium

Description
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to use, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

Description

The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to use, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

STIG	Date
Microsoft IIS 10.0 Site Security Technical Implementation Guide	2020-06-08

Details

Check Text ( C-99071r1_chk )
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Right-click on the site name under review. Select "Edit Bindings". Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. If both hostname entries and unique IP addresses are not configured to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding. Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding. Note: If HTTP/Port 80 is not being used, and is not configured as above, this is not a finding. Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Check Text ( C-99071r1_chk )

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.
Right-click on the site name under review.
Select "Edit Bindings".

Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

If both hostname entries and unique IP addresses are not configured to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding.

Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.

Note: If HTTP/Port 80 is not being used, and is not configured as above, this is not a finding.

Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Fix Text (F-105903r1_fix)
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Right-click on the site name under review. Select "Edit Bindings". Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. Click "OK". Select "Apply" from the "Actions" pane.