STIGQter STIGQter: STIG Summary: Microsoft IIS 10.0 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.

DISA Rule

SV-218763r558649_rule

Vulnerability Number

V-218763

Group Title

SRG-APP-000295-WSR-000134

Rule Version

IIST-SI-000236

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".

Set the "timeout" to "00:20:00 or less”, using the lowest value possible depending upon the application.
Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

In the "Actions" pane, click "Apply".

Check Contents

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".

Verify the "timeout" is set to "00:20:00 or less”, using the lowest value possible depending upon the application.
Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

If "timeout" is not set to "00:20:00 or less”, this is a finding.

Vulnerability Number

V-218763

Documentable

False

Rule Version

IIST-SI-000236

Severity Override Guidance

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".

Verify the "timeout" is set to "00:20:00 or less”, using the lowest value possible depending upon the application.
Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

If "timeout" is not set to "00:20:00 or less”, this is a finding.

Check Content Reference

M

Target Key

4051

Comments