UCF STIG Viewer Logo

Microsoft IIS 10.0 Site Security Technical Implementation Guide


Overview

Date Finding Count (45)
2022-06-23 CAT I (High): 1 CAT II (Med): 44 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-218750 High Anonymous IIS 10.0 website access accounts must be restricted.
V-218757 Medium Double encoded URL requests must be prohibited by any IIS 10.0 website.
V-218782 Medium The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-218781 Medium Backup interactive scripts on the IIS 10.0 server must be removed.
V-218780 Medium Interactive scripts on the IIS 10.0 web server must have restrictive access controls.
V-218742 Medium The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-218743 Medium The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-218772 Medium The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set.
V-218770 Medium Cookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data.
V-218771 Medium The IIS 10.0 website must have a unique application pool.
V-218776 Medium The application pools pinging monitor for each IIS 10.0 website must be enabled.
V-218759 Medium Directory Browsing on the IIS 10.0 website must be disabled.
V-218775 Medium The application pool for each IIS 10.0 website must have a recycle time explicitly set.
V-218754 Medium The IIS 10.0 website must be configured to limit the size of web requests.
V-218755 Medium The IIS 10.0 websites Maximum Query String limit must be configured.
V-218756 Medium Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.
V-218779 Medium Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders.
V-218751 Medium The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.
V-218752 Medium The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.
V-218753 Medium The IIS 10.0 website must be configured to limit the maxURL.
V-218736 Medium The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.
V-218737 Medium A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.
V-218735 Medium The IIS 10.0 website session state must be enabled.
V-218749 Medium A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.
V-218738 Medium A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
V-218739 Medium Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.
V-218758 Medium Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website.
V-218777 Medium The application pools rapid fail protection for each IIS 10.0 website must be enabled.
V-218765 Medium The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.
V-218764 Medium The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-218767 Medium The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-218766 Medium The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.
V-218761 Medium Debugging and trace information used to diagnose the IIS 10.0 website must be disabled.
V-218760 Medium Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.
V-218763 Medium The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
V-218748 Medium Each IIS 10.0 website must be assigned a default host header.
V-218746 Medium The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
V-218745 Medium The IIS 10.0 website must have resource mappings set to disable the serving of certain file types.
V-218744 Medium Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed.
V-218769 Medium IIS 10.0 website session IDs must be sent to the client using TLS.
V-218768 Medium The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.
V-218741 Medium The IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events.
V-218740 Medium An IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.
V-218762 Medium The Idle Time-out monitor for each IIS 10.0 website must be enabled.
V-218778 Medium The application pools rapid fail protection settings for each IIS 10.0 website must be managed.