STIGQter STIGQter: STIG Summary: IIS 8.5 Site Security Technical Implementation Guide Version: 1 Release: 9 Benchmark Date: 25 Oct 2019: Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed.

DISA Rule

SV-91555r3_rule

Vulnerability Number

V-76859

Group Title

SRG-APP-000439-WSR-000154

Rule Version

IISW-SI-000246

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Access the IIS 8.5 Manager.
Under "Management" section, double-click the "Configuration Editor" icon.
From the "Section:" drop-down list, select "system.web/httpCookies".
Set the "require SSL" to "True".

From the "Section:" drop-down list, select "system.web/sessionState".
Set the "compressionEnabled" to "False".

Select "Apply" from the "Actions" pane.

Check Contents

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Access the IIS 8.5 Manager.
Under "Management" section, double-click the "Configuration Editor" icon.
From the "Section:" drop-down list, select "system.web/httpCookies".
Verify the "require SSL" is set to "True".

From the "Section:" drop-down list, select "system.web/sessionState".
Verify the "compressionEnabled" is set to "False".

If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding.

Vulnerability Number

V-76859

Documentable

False

Rule Version

IISW-SI-000246

Severity Override Guidance

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Access the IIS 8.5 Manager.
Under "Management" section, double-click the "Configuration Editor" icon.
From the "Section:" drop-down list, select "system.web/httpCookies".
Verify the "require SSL" is set to "True".

From the "Section:" drop-down list, select "system.web/sessionState".
Verify the "compressionEnabled" is set to "False".

If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding.

Check Content Reference

M

Target Key

2791

Comments