| Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable. |
Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server.
Follow the procedures below for each site hosted on the IIS 10.0 web server:
Access the IIS 10.0 Manager.
Under the "Management" section, double-click the "Configuration Editor" icon.
From the "Section:" drop-down list, select "system.web/httpCookies".
Verify the "require SSL" is set to "True".
From the "Section:" drop-down list, select "system.web/sessionState".
Verify the "compressionEnabled" is set to "False".
If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding.