STIGQter STIGQter: STIG Summary: Microsoft IIS 8.5 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.

DISA Rule

SV-214445r508659_rule

Vulnerability Number

V-214445

Group Title

SRG-APP-000001-WSR-000002

Rule Version

IISW-SI-000202

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name.

Under the ASP.NET section, select "Session State".

Under "Cookie Settings", select the "Use Cookies" from the "Mode:" drop-down list.

Select "Apply" from the "Actions" pane.

Check Contents

Follow the procedures below for each site hosted on the IIS 8.5 web server:
Open the IIS 8.5 Manager.
Click the site name.
Under the "ASP.NET" section, select "Session State".
Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list.
If the "Use Cookies" mode is selected, this is not a finding.

Alternative method:
Click the site name.
Select "Configuration Editor" under the "Management" section.
From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".
Verify the "cookieless" is set to "UseCookies".
If the "cookieless" is not set to "UseCookies", this is a finding.
Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.

Vulnerability Number

V-214445

Documentable

False

Rule Version

IISW-SI-000202

Severity Override Guidance

Follow the procedures below for each site hosted on the IIS 8.5 web server:
Open the IIS 8.5 Manager.
Click the site name.
Under the "ASP.NET" section, select "Session State".
Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list.
If the "Use Cookies" mode is selected, this is not a finding.

Alternative method:
Click the site name.
Select "Configuration Editor" under the "Management" section.
From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".
Verify the "cookieless" is set to "UseCookies".
If the "cookieless" is not set to "UseCookies", this is a finding.
Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.

Check Content Reference

M

Target Key

4001

Comments