STIGQter STIGQter: STIG Summary: IIS 8.5 Site Security Technical Implementation Guide

Version: 1

Release: 9 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-91471r1_ruleThe IIS 8.5 website session state must be enabled.
SV-91473r3_ruleThe IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.
SV-91475r3_ruleA private IIS 8.5 website must only accept Secure Socket Layer connections.
SV-91477r1_ruleA public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.
SV-91479r1_ruleThe enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session.
SV-91481r1_ruleBoth the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.
SV-91483r3_ruleAn IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information.
SV-91485r2_ruleThe IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events.
SV-91487r3_ruleThe IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-91491r4_ruleThe log information from the IIS 8.5 website must be protected from unauthorized modification or deletion.
SV-91493r1_ruleThe IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
SV-91495r2_ruleMappings to unused and vulnerable scripts on the IIS 8.5 website must be removed.
SV-91497r1_ruleThe IIS 8.5 website must have resource mappings set to disable the serving of certain file types.
SV-91499r1_ruleThe IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
SV-91501r2_ruleThe production website must configure the Global .NET Trust Level.
SV-91503r3_ruleEach IIS 8.5 website must be assigned a default host header.
SV-91505r1_ruleA private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.
SV-91507r2_ruleAnonymous IIS 8.5 website access accounts must be restricted.
SV-91509r1_ruleThe IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced.
SV-91511r1_ruleThe IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files.
SV-91513r1_ruleThe IIS 8.5 website must be configured to limit the maxURL.
SV-91515r2_ruleThe IIS 8.5 website must be configured to limit the size of web requests.
SV-91517r1_ruleThe IIS 8.5 websites Maximum Query String limit must be configured.
SV-91519r1_ruleNon-ASCII characters in URLs must be prohibited by any IIS 8.5 website.
SV-91521r1_ruleDouble encoded URL requests must be prohibited by any IIS 8.5 website.
SV-91523r2_ruleUnlisted file extensions in URL requests must be filtered by any IIS 8.5 website.
SV-91525r1_ruleDirectory Browsing on the IIS 8.5 website must be disabled.
SV-91527r1_ruleThe IIS 8.5 website must prevent a web content directory from being displayed.
SV-91531r1_ruleWarning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths.
SV-91533r1_ruleDebugging and trace information used to diagnose the IIS 8.5 website must be disabled.
SV-91535r2_ruleThe Idle Time-out monitor for each IIS 8.5 website must be enabled.
SV-91537r2_ruleThe IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
SV-91539r1_ruleThe IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
SV-91541r1_ruleThe IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website.
SV-91543r1_ruleThe IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines.
SV-91545r3_ruleThe IIS 8.5 private website have a server certificate issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SV-91547r5_ruleThe IIS 8.5 private website must employ cryptographic mechanisms (TLS) and require client certificates.
SV-91551r1_ruleIIS 8.5 website session IDs must be sent to the client using TLS.
SV-91555r3_ruleCookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed.
SV-91557r5_ruleThe IIS 8.5 website must maintain the confidentiality and integrity of information during preparation for transmission and during reception.
SV-91561r3_ruleThe IIS 8.5 website must have a unique application pool.
SV-91563r3_ruleThe maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set.
SV-91565r3_ruleThe amount of virtual memory an application pool uses for each IIS 8.5 website must be explicitly set.
SV-91567r2_ruleThe amount of private memory an application pool uses for each IIS 8.5 website must be explicitly set.
SV-91569r1_ruleThe application pool for each IIS 8.5 website must have a recycle time explicitly set.
SV-91571r1_ruleThe maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured.
SV-91573r1_ruleThe application pools pinging monitor for each IIS 8.5 website must be enabled.
SV-91575r1_ruleThe application pools rapid fail protection for each IIS 8.5 website must be enabled.
SV-91577r1_ruleThe application pools rapid fail protection settings for each IIS 8.5 website must be managed.
SV-91581r3_ruleInteractive scripts on the IIS 8.5 web server must be located in unique and designated folders.
SV-91583r1_ruleInteractive scripts on the IIS 8.5 web server must have restrictive access controls.
SV-91585r1_ruleBackup interactive scripts on the IIS 8.5 server must be removed.
SV-91587r1_ruleThe required DoD banner page must be displayed to authenticated users accessing a DoD private website.