UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft IIS 8.5 Site Security Technical Implementation Guide


Overview

Date Finding Count (50)
2020-09-25 CAT I (High): 1 CAT II (Med): 49 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-214461 High Anonymous IIS 8.5 website access accounts must be restricted.
V-214446 Medium A private IIS 8.5 website must only accept Secure Socket Layer connections.
V-214447 Medium A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.
V-214466 Medium The IIS 8.5 websites Maximum Query String limit must be configured.
V-214467 Medium Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website.
V-214464 Medium The IIS 8.5 website must be configured to limit the maxURL.
V-214465 Medium The IIS 8.5 website must be configured to limit the size of web requests.
V-214462 Medium The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced.
V-214463 Medium The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files.
V-214460 Medium A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.
V-214448 Medium The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session.
V-214449 Medium Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.
V-214468 Medium Double encoded URL requests must be prohibited by any IIS 8.5 website.
V-214469 Medium Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website.
V-214484 Medium The IIS 8.5 website must have a unique application pool.
V-214485 Medium The maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set.
V-214486 Medium The amount of virtual memory an application pool uses for each IIS 8.5 website must be explicitly set.
V-214487 Medium The amount of private memory an application pool uses for each IIS 8.5 website must be explicitly set.
V-214480 Medium The IIS 8.5 private website must employ cryptographic mechanisms (TLS) and require client certificates.
V-214481 Medium IIS 8.5 website session IDs must be sent to the client using TLS.
V-214482 Medium Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed.
V-214483 Medium The IIS 8.5 website must maintain the confidentiality and integrity of information during preparation for transmission and during reception.
V-214488 Medium The application pool for each IIS 8.5 website must have a recycle time explicitly set.
V-214489 Medium The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured.
V-214479 Medium The IIS 8.5 private website have a server certificate issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-214478 Medium The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines.
V-214470 Medium Directory Browsing on the IIS 8.5 website must be disabled.
V-214473 Medium Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.
V-214472 Medium Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths.
V-214475 Medium The IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
V-214474 Medium The Idle Time-out monitor for each IIS 8.5 website must be enabled.
V-214477 Medium The IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website.
V-214476 Medium The IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-214452 Medium The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-214451 Medium The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events.
V-214450 Medium An IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information.
V-214457 Medium The IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
V-214456 Medium The IIS 8.5 website must have resource mappings set to disable the serving of certain file types.
V-214455 Medium Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed.
V-214454 Medium The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-214459 Medium Each IIS 8.5 website must be assigned a default host header.
V-214496 Medium The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-214495 Medium Backup interactive scripts on the IIS 8.5 server must be removed.
V-214494 Medium Interactive scripts on the IIS 8.5 web server must have restrictive access controls.
V-214493 Medium Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders.
V-214492 Medium The application pools rapid fail protection settings for each IIS 8.5 website must be managed.
V-214491 Medium The application pools rapid fail protection for each IIS 8.5 website must be enabled.
V-214490 Medium The application pools pinging monitor for each IIS 8.5 website must be enabled.
V-214444 Medium The IIS 8.5 website session state must be enabled.
V-214445 Medium The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.