| V-218735 | | The IIS 10.0 website session state must be enabled. | When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with e... |
| V-218736 | | The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode. | When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with e... |
| V-218737 | | A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections. | Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to e... |
| V-218738 | | A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required. | Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to e... |
| V-218739 | | Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled. | Internet Information Services (IIS) on Windows Server 2012 provides basic logging capabilities. However, because IIS takes some time to flush logs to ... |
| V-218740 | | An IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events ... |
| V-218741 | | The IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events ... |
| V-218742 | | The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events ... |
| V-218743 | | The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. | Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more function... |
| V-218744 | | Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed. | IIS 10.0 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two feature... |
| V-218745 | | The IIS 10.0 website must have resource mappings set to disable the serving of certain file types. | IIS 10.0 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two feature... |
| V-218748 | | Each IIS 10.0 website must be assigned a default host header. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to use, t... |
| V-218749 | | A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity. | A DoD private website must use PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorizati... |
| V-218751 | | The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced. | Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. To maintain a connection or sessi... |
| V-218752 | | The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files. | The content database is accessed by multiple anonymous users when the web server is in production. By locating the content database on the same partit... |
| V-218753 | | The IIS 10.0 website must be configured to limit the maxURL. | Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web conten... |
| V-218754 | | The IIS 10.0 website must be configured to limit the size of web requests. | By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedConte... |
| V-218755 | | The IIS 10.0 websites Maximum Query String limit must be configured. | Setting limits on web requests helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The M... |
| V-218756 | | Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website. | Setting limits on web requests ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit charact... |
| V-218757 | | Double encoded URL requests must be prohibited by any IIS 10.0 website. | Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. Setting limits on web r... |
| V-218758 | | Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website. | Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. Setting limits on web requests hel... |
| V-218759 | | Directory Browsing on the IIS 10.0 website must be disabled. | Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory... |
| V-218760 | | Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths. | HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP err... |
| V-218761 | | Debugging and trace information used to diagnose the IIS 10.0 website must be disabled. | Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the ris... |
| V-218762 | | The Idle Time-out monitor for each IIS 10.0 website must be enabled. | The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not ... |
| V-218763 | | The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-218764 | | The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications. | During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to st... |
| V-218765 | | The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website. | To make certain the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism must be... |
| V-218766 | | The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines. | Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too ... |
| V-218767 | | The IIS 10.0 website must only accept client certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs). | The use of a DOD PKI certificate ensures clients the private website they are connecting to is legitimate, and is an essential part of the DOD defense... |
| V-218769 | | IIS 10.0 website session IDs must be sent to the client using TLS. | The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data used to iden... |
| V-218770 | | Cookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side script... |
| V-218771 | | The IIS 10.0 website must have a unique application pool. | Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped acco... |
| V-218772 | | The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set. | IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By defaul... |
| V-218775 | | The application pool for each IIS 10.0 website must have a recycle time explicitly set. | Application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks.... |
| V-218777 | | The application pools rapid fail protection for each IIS 10.0 website must be enabled. | Rapid fail protection is a feature that interrogates the health of worker processes associated with websites and web applications. It can be configure... |
| V-218778 | | The application pools rapid fail protection settings for each IIS 10.0 website must be managed. | Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid... |
| V-218779 | | Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders. | CGI and ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI and ASP program files must be segrega... |
| V-218780 | | Interactive scripts on the IIS 10.0 web server must have restrictive access controls. | CGI is a programming standard for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upp... |
| V-218781 | | Backup interactive scripts on the IIS 10.0 server must be removed. | Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup co... |
| V-218782 | | The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | A consent banner will be in place to inform prospective entrants the website they are about to enter is a DoD website and their activity is subject to... |
| V-218750 | | Anonymous IIS 10.0 website access accounts must be restricted. | Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, bu... |
| V-218768 | | The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates. | TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentialit... |
