STIGQter STIGQter: STIG Summary: IIS 8.5 Site Security Technical Implementation Guide Version: 1 Release: 9 Benchmark Date: 25 Oct 2019: The amount of virtual memory an application pool uses for each IIS 8.5 website must be explicitly set.

DISA Rule

SV-91565r3_rule

Vulnerability Number

V-76869

Group Title

SRG-APP-000516-WSR-000174

Rule Version

IISW-SI-000253

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Open the IIS 8.5 Manager.

Click on “Application Pools”.

Perform for each Application Pool.

Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane.

In the "Advanced Settings" dialog box scroll down to the "Recycling" section and set the value for "Virtual Memory Limit" to a value other than "0".

Click “OK”.

Check Contents

Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, mitigation steps can be set, to include setting the “Fixed number or requests”, “Specific time”, and “Private memory usage” in the recycling conditions lieu of the “Virtual memory” setting. If mitigation is used in lieu of this requirement, with supporting documentation from the ISSO, this check can be downgraded to a Cat III.

Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.

Open the IIS 8.5 Manager.

Perform for each Application Pool.

Click on “Application Pools”.

Highlight an Application Pool and click "Advanced Settings" in the Action Pane.

In the "Advanced Settings" dialog box scroll down to the "Recycling" section and verify the value for "Virtual Memory Limit" is not set to 0.

If the value for "Virtual Memory Limit" is set to 0, this is a finding.

Vulnerability Number

V-76869

Documentable

False

Rule Version

IISW-SI-000253

Severity Override Guidance

Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, mitigation steps can be set, to include setting the “Fixed number or requests”, “Specific time”, and “Private memory usage” in the recycling conditions lieu of the “Virtual memory” setting. If mitigation is used in lieu of this requirement, with supporting documentation from the ISSO, this check can be downgraded to a Cat III.

Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.

Open the IIS 8.5 Manager.

Perform for each Application Pool.

Click on “Application Pools”.

Highlight an Application Pool and click "Advanced Settings" in the Action Pane.

In the "Advanced Settings" dialog box scroll down to the "Recycling" section and verify the value for "Virtual Memory Limit" is not set to 0.

If the value for "Virtual Memory Limit" is set to 0, this is a finding.

Check Content Reference

M

Target Key

2791

Comments