STIGQter: STIG Summary: Microsoft IIS 8.5 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.

DISA Rule

SV-214473r508659_rule

Vulnerability Number

V-214473

Group Title

SRG-APP-000266-WSR-000160

Rule Version

IISW-SI-000234

Severity

CAT II

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Double-click ".NET Compilation".

Scroll down to the "Behavior" section and set the value for "Debug" to "False".

Check Contents

Note: If the ".NET feature" is not installed, this check is Not Applicable.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Double-click ".NET Compilation".

Scroll down to the "Behavior" section and verify the value for "Debug" is set to "False".

If the "Debug" value is not set to "False", this is a finding.

Vulnerability Number

V-214473

Documentable

False

Rule Version

IISW-SI-000234

Severity Override Guidance

Note: If the ".NET feature" is not installed, this check is Not Applicable.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Double-click ".NET Compilation".

Scroll down to the "Behavior" section and verify the value for "Debug" is set to "False".

If the "Debug" value is not set to "False", this is a finding.

Check Content Reference

M

Target Key

4001

Comments