STIGQter STIGQter: STIG Summary:

Microsoft IIS 10.0 Site Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 23 Apr 2021

CheckedNameTitle
SV-218735r558649_ruleThe IIS 10.0 website session state must be enabled.
SV-218736r558649_ruleThe IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.
SV-218737r558649_ruleA private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.
SV-218738r558649_ruleA public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
SV-218739r558649_ruleBoth the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.
SV-218740r558649_ruleAn IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.
SV-218741r558649_ruleThe IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events.
SV-218742r558649_ruleThe IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-218743r558649_ruleThe IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
SV-218744r558649_ruleMappings to unused and vulnerable scripts on the IIS 10.0 website must be removed.
SV-218745r558649_ruleThe IIS 10.0 website must have resource mappings set to disable the serving of certain file types.
SV-218746r558649_ruleThe IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
SV-218748r558649_ruleEach IIS 10.0 website must be assigned a default host header.
SV-218749r558649_ruleA private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.
SV-218750r558649_ruleAnonymous IIS 10.0 website access accounts must be restricted.
SV-218751r558649_ruleThe IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.
SV-218752r558649_ruleThe IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.
SV-218753r558649_ruleThe IIS 10.0 website must be configured to limit the maxURL.
SV-218754r558649_ruleThe IIS 10.0 website must be configured to limit the size of web requests.
SV-218755r558649_ruleThe IIS 10.0 websites Maximum Query String limit must be configured.
SV-218756r558649_ruleNon-ASCII characters in URLs must be prohibited by any IIS 10.0 website.
SV-218757r558649_ruleDouble encoded URL requests must be prohibited by any IIS 10.0 website.
SV-218758r695276_ruleUnlisted file extensions in URL requests must be filtered by any IIS 10.0 website.
SV-218759r558649_ruleDirectory Browsing on the IIS 10.0 website must be disabled.
SV-218760r558649_ruleWarning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.
SV-218761r558649_ruleDebugging and trace information used to diagnose the IIS 10.0 website must be disabled.
SV-218762r558649_ruleThe Idle Time-out monitor for each IIS 10.0 website must be enabled.
SV-218763r558649_ruleThe IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
SV-218764r558649_ruleThe IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
SV-218765r558649_ruleThe IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.
SV-218766r558649_ruleThe IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.
SV-218767r558649_ruleThe IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SV-218768r558649_ruleThe IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.
SV-218769r558649_ruleIIS 10.0 website session IDs must be sent to the client using TLS.
SV-218770r558649_ruleCookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data.
SV-218771r558649_ruleThe IIS 10.0 website must have a unique application pool.
SV-218772r558649_ruleThe maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set.
SV-218773r558649_ruleThe amount of virtual memory an application pool uses for each IIS 10.0 website must be explicitly set.
SV-218774r558649_ruleThe amount of private memory an application pool uses for each IIS 10.0 website must be explicitly set.
SV-218775r558649_ruleThe application pool for each IIS 10.0 website must have a recycle time explicitly set.
SV-218776r558649_ruleThe application pools pinging monitor for each IIS 10.0 website must be enabled.
SV-218777r558649_ruleThe application pools rapid fail protection for each IIS 10.0 website must be enabled.
SV-218778r558649_ruleThe application pools rapid fail protection settings for each IIS 10.0 website must be managed.
SV-218779r558649_ruleInteractive scripts on the IIS 10.0 web server must be located in unique and designated folders.
SV-218780r558649_ruleInteractive scripts on the IIS 10.0 web server must have restrictive access controls.
SV-218781r558649_ruleBackup interactive scripts on the IIS 10.0 server must be removed.
SV-218782r558649_ruleThe required DoD banner page must be displayed to authenticated users accessing a DoD private website.