UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft IIS 10.0 Site Security Technical Implementation Guide


Overview

Date Finding Count (47)
2020-06-08 CAT I (High): 1 CAT II (Med): 46 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-100221 High Anonymous IIS 10.0 website access accounts must be restricted.
V-100249 Medium The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-100283 Medium Backup interactive scripts on the IIS 10.0 server must be removed.
V-100281 Medium Interactive scripts on the IIS 10.0 web server must have restrictive access controls.
V-100243 Medium Debugging and trace information used to diagnose the IIS 10.0 website must be disabled.
V-100241 Medium Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.
V-100269 Medium The amount of private memory an application pool uses for each IIS 10.0 website must be explicitly set.
V-100247 Medium The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
V-100245 Medium The Idle Time-out monitor for each IIS 10.0 website must be enabled.
V-100229 Medium The IIS 10.0 website must be configured to limit the size of web requests.
V-100199 Medium Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.
V-100261 Medium Cookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data.
V-100209 Medium Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed.
V-100193 Medium The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.
V-100223 Medium The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.
V-100197 Medium A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
V-100203 Medium The IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events.
V-100227 Medium The IIS 10.0 website must be configured to limit the maxURL.
V-100205 Medium The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-100217 Medium Each IIS 10.0 website must be assigned a default host header.
V-100225 Medium The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.
V-100235 Medium Double encoded URL requests must be prohibited by any IIS 10.0 website.
V-100239 Medium Directory Browsing on the IIS 10.0 website must be disabled.
V-100201 Medium An IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.
V-100233 Medium Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.
V-100259 Medium IIS 10.0 website session IDs must be sent to the client using TLS.
V-100255 Medium The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-100251 Medium The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.
V-100257 Medium The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.
V-100253 Medium The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.
V-100211 Medium The IIS 10.0 website must have resource mappings set to disable the serving of certain file types.
V-100275 Medium The application pools rapid fail protection for each IIS 10.0 website must be enabled.
V-100273 Medium The application pools pinging monitor for each IIS 10.0 website must be enabled.
V-100271 Medium The application pool for each IIS 10.0 website must have a recycle time explicitly set.
V-100195 Medium A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.
V-100263 Medium The IIS 10.0 website must have a unique application pool.
V-100237 Medium Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website.
V-100279 Medium Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders.
V-100191 Medium The IIS 10.0 website session state must be enabled.
V-100277 Medium The application pools rapid fail protection settings for each IIS 10.0 website must be managed.
V-100219 Medium A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.
V-100265 Medium The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set.
V-100285 Medium The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-100213 Medium The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
V-100207 Medium The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-100267 Medium The amount of virtual memory an application pool uses for each IIS 10.0 website must be explicitly set.
V-100231 Medium The IIS 10.0 websites Maximum Query String limit must be configured.