Microsoft IIS 8.5 Site Security Technical Implementation Guide


Overview

Date Finding Count (50)
2021-03-24 CAT I (High): 1 CAT II (Med): 49 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-214461 High Anonymous IIS 8.5 website access accounts must be restricted.
V-214446 Medium A private IIS 8.5 website must only accept Secure Socket Layer connections.
V-214447 Medium A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.
V-214466 Medium The IIS 8.5 websites Maximum Query String limit must be configured.
V-214467 Medium Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website.
V-214464 Medium The IIS 8.5 website must be configured to limit the maxURL.
V-214465 Medium The IIS 8.5 website must be configured to limit the size of web requests.
V-214462 Medium The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced.
V-214463 Medium The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files.
V-214460 Medium A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.
V-214448 Medium The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session.
V-214449 Medium Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.
V-214468 Medium Double encoded URL requests must be prohibited by any IIS 8.5 website.
V-214469 Medium Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website.
V-214484 Medium The IIS 8.5 website must have a unique application pool.
V-214485 Medium The maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set.
V-214486 Medium The amount of virtual memory an application pool uses for each IIS 8.5 website must be explicitly set.
V-214487 Medium The amount of private memory an application pool uses for each IIS 8.5 website must be explicitly set.
V-214480 Medium The IIS 8.5 private website must employ cryptographic mechanisms (TLS) and require client certificates.
V-214481 Medium IIS 8.5 website session IDs must be sent to the client using TLS.
V-214482 Medium Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed.
V-214483 Medium The IIS 8.5 website must maintain the confidentiality and integrity of information during preparation for transmission and during reception.
V-214488 Medium The application pool for each IIS 8.5 website must have a recycle time explicitly set.
V-214489 Medium The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured.
V-214479 Medium The IIS 8.5 private website have a server certificate issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-214478 Medium The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines.
V-214470 Medium Directory Browsing on the IIS 8.5 website must be disabled.
V-214473 Medium Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.
V-214472 Medium Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths.
V-214475 Medium The IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
V-214474 Medium The Idle Time-out monitor for each IIS 8.5 website must be enabled.
V-214477 Medium The IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website.
V-214476 Medium The IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-214452 Medium The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-214451 Medium The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events.
V-214450 Medium An IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information.
V-214457 Medium The IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
V-214456 Medium The IIS 8.5 website must have resource mappings set to disable the serving of certain file types.
V-214455 Medium Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed.
V-214454 Medium The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-214459 Medium Each IIS 8.5 website must be assigned a default host header.
V-214496 Medium The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-214495 Medium Backup interactive scripts on the IIS 8.5 server must be removed.
V-214494 Medium Interactive scripts on the IIS 8.5 web server must have restrictive access controls.
V-214493 Medium Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders.
V-214492 Medium The application pools rapid fail protection settings for each IIS 8.5 website must be managed.
V-214491 Medium The application pools rapid fail protection for each IIS 8.5 website must be enabled.
V-214490 Medium The application pools pinging monitor for each IIS 8.5 website must be enabled.
V-214444 Medium The IIS 8.5 website session state must be enabled.
V-214445 Medium The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.