| Checked | Name | Title |
|---|
| ☐ | SV-214444r508659_rule | The IIS 8.5 website session state must be enabled. |
| ☐ | SV-214445r508659_rule | The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode. |
| ☐ | SV-214446r539445_rule | A private IIS 8.5 website must only accept Secure Socket Layer connections. |
| ☐ | SV-214447r539448_rule | A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required. |
| ☐ | SV-214448r508659_rule | The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session. |
| ☐ | SV-214449r508659_rule | Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled. |
| ☐ | SV-214450r508659_rule | An IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information. |
| ☐ | SV-214451r508659_rule | The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events. |
| ☐ | SV-214452r508659_rule | The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. |
| ☐ | SV-214454r508659_rule | The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. |
| ☐ | SV-214455r695296_rule | Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed. |
| ☐ | SV-214456r508659_rule | The IIS 8.5 website must have resource mappings set to disable the serving of certain file types. |
| ☐ | SV-214457r508659_rule | The IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled. |
| ☐ | SV-214459r508659_rule | Each IIS 8.5 website must be assigned a default host header. |
| ☐ | SV-214460r508659_rule | A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity. |
| ☐ | SV-214461r508659_rule | Anonymous IIS 8.5 website access accounts must be restricted. |
| ☐ | SV-214462r508659_rule | The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced. |
| ☐ | SV-214463r508659_rule | The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files. |
| ☐ | SV-214464r508659_rule | The IIS 8.5 website must be configured to limit the maxURL. |
| ☐ | SV-214465r508659_rule | The IIS 8.5 website must be configured to limit the size of web requests. |
| ☐ | SV-214466r508659_rule | The IIS 8.5 websites Maximum Query String limit must be configured. |
| ☐ | SV-214467r508659_rule | Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website. |
| ☐ | SV-214468r508659_rule | Double encoded URL requests must be prohibited by any IIS 8.5 website. |
| ☐ | SV-214469r695293_rule | Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website. |
| ☐ | SV-214470r508659_rule | Directory Browsing on the IIS 8.5 website must be disabled. |
| ☐ | SV-214472r508659_rule | Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths. |
| ☐ | SV-214473r508659_rule | Debugging and trace information used to diagnose the IIS 8.5 website must be disabled. |
| ☐ | SV-214474r508659_rule | The Idle Time-out monitor for each IIS 8.5 website must be enabled. |
| ☐ | SV-214475r508659_rule | The IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session. |
| ☐ | SV-214476r508659_rule | The IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications. |
| ☐ | SV-214477r508659_rule | The IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website. |
| ☐ | SV-214478r508659_rule | The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines. |
| ☐ | SV-214479r508659_rule | The IIS 8.5 private website have a server certificate issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). |
| ☐ | SV-214480r508659_rule | The IIS 8.5 private website must employ cryptographic mechanisms (TLS) and require client certificates. |
| ☐ | SV-214481r508659_rule | IIS 8.5 website session IDs must be sent to the client using TLS. |
| ☐ | SV-214482r539442_rule | Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed. |
| ☐ | SV-214483r508659_rule | The IIS 8.5 website must maintain the confidentiality and integrity of information during preparation for transmission and during reception. |
| ☐ | SV-214484r508659_rule | The IIS 8.5 website must have a unique application pool. |
| ☐ | SV-214485r508659_rule | The maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set. |
| ☐ | SV-214486r508659_rule | The amount of virtual memory an application pool uses for each IIS 8.5 website must be explicitly set. |
| ☐ | SV-214487r508659_rule | The amount of private memory an application pool uses for each IIS 8.5 website must be explicitly set. |
| ☐ | SV-214488r508659_rule | The application pool for each IIS 8.5 website must have a recycle time explicitly set. |
| ☐ | SV-214489r508659_rule | The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured. |
| ☐ | SV-214490r508659_rule | The application pools pinging monitor for each IIS 8.5 website must be enabled. |
| ☐ | SV-214491r508659_rule | The application pools rapid fail protection for each IIS 8.5 website must be enabled. |
| ☐ | SV-214492r508659_rule | The application pools rapid fail protection settings for each IIS 8.5 website must be managed. |
| ☐ | SV-214493r508659_rule | Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders. |
| ☐ | SV-214494r508659_rule | Interactive scripts on the IIS 8.5 web server must have restrictive access controls. |
| ☐ | SV-214495r508659_rule | Backup interactive scripts on the IIS 8.5 server must be removed. |
| ☐ | SV-214496r508659_rule | The required DoD banner page must be displayed to authenticated users accessing a DoD private website. |
STIGQter: STIG Summary: