UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft IIS 10.0 Site Security Technical Implementation Guide


Overview

Date Finding Count (44)
2023-03-08 CAT I (High): 1 CAT II (Med): 43 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-218750 High Anonymous IIS 10.0 website access accounts must be restricted.
V-218757 Medium Double encoded URL requests must be prohibited by any IIS 10.0 website.
V-218782 Medium The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
V-218781 Medium Backup interactive scripts on the IIS 10.0 server must be removed.
V-218780 Medium Interactive scripts on the IIS 10.0 web server must have restrictive access controls.
V-218742 Medium The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-218743 Medium The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-218772 Medium The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set.
V-218770 Medium Cookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data.
V-218771 Medium The IIS 10.0 website must have a unique application pool.
V-218758 Medium Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website.
V-218759 Medium Directory Browsing on the IIS 10.0 website must be disabled.
V-218775 Medium The application pool for each IIS 10.0 website must have a recycle time explicitly set.
V-218754 Medium The IIS 10.0 website must be configured to limit the size of web requests.
V-218755 Medium The IIS 10.0 websites Maximum Query String limit must be configured.
V-218756 Medium Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.
V-218779 Medium Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders.
V-218751 Medium The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.
V-218752 Medium The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.
V-218753 Medium The IIS 10.0 website must be configured to limit the maxURL.
V-218736 Medium The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.
V-218737 Medium A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.
V-218735 Medium The IIS 10.0 website session state must be enabled.
V-218749 Medium A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.
V-218738 Medium A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
V-218739 Medium Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.
V-218777 Medium The application pools rapid fail protection for each IIS 10.0 website must be enabled.
V-218765 Medium The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.
V-218764 Medium The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-218767 Medium The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-218766 Medium The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.
V-218761 Medium Debugging and trace information used to diagnose the IIS 10.0 website must be disabled.
V-218760 Medium Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.
V-218763 Medium The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
V-218748 Medium Each IIS 10.0 website must be assigned a default host header.
V-218746 Medium The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
V-218745 Medium The IIS 10.0 website must have resource mappings set to disable the serving of certain file types.
V-218744 Medium Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed.
V-218769 Medium IIS 10.0 website session IDs must be sent to the client using TLS.
V-218768 Medium The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.
V-218741 Medium The IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events.
V-218740 Medium An IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.
V-218762 Medium The Idle Time-out monitor for each IIS 10.0 website must be enabled.
V-218778 Medium The application pools rapid fail protection settings for each IIS 10.0 website must be managed.