CIS IIS 10 v1.2.1 Level 2

Audit Details

Name: CIS IIS 10 v1.2.1 Level 2

Updated: 1/6/2025

Authority: CIS

Plugin: Windows

Revision: 1.4

Estimated Item Count: 30

File Details

Filename: CIS_MS_IIS_10_v1.2.1_Level_2.audit

Size: 125 kB

MD5: 3bb27e698e09bbcddf079cd6954543ec

SHA256: b14dbc4553e375759971688e1214521f6b9fd2f4f8bcba647df039a112324dbe

Audit Items

Description	Categories
2.4 Ensure 'forms authentication' is set to use cookies - Application	SYSTEM AND SERVICES ACQUISITION
2.4 Ensure 'forms authentication' is set to use cookies - Default	SYSTEM AND SERVICES ACQUISITION
2.8 Ensure 'credentials' are not stored in configuration files - Applications	IDENTIFICATION AND AUTHENTICATION
2.8 Ensure 'credentials' are not stored in configuration files - Default	IDENTIFICATION AND AUTHENTICATION
3.2 Ensure 'debug' is turned off - Applications	SYSTEM AND SERVICES ACQUISITION
3.2 Ensure 'debug' is turned off - Default	SYSTEM AND SERVICES ACQUISITION
3.3 Ensure custom error messages are not off - Applications	SYSTEM AND SERVICES ACQUISITION
3.3 Ensure custom error messages are not off - Default	SYSTEM AND SERVICES ACQUISITION
3.5 Ensure ASP.NET stack tracing is not enabled - Applications	SYSTEM AND SERVICES ACQUISITION
3.5 Ensure ASP.NET stack tracing is not enabled - Default	SYSTEM AND SERVICES ACQUISITION
3.6 Ensure 'httpcookie' mode is configured for session state - Applications	SYSTEM AND SERVICES ACQUISITION
3.6 Ensure 'httpcookie' mode is configured for session state - Default	SYSTEM AND SERVICES ACQUISITION
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured - Applications	ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured - Default	ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
3.11 Ensure X-Powered-By Header is removed - Applications	CONFIGURATION MANAGEMENT
3.11 Ensure X-Powered-By Header is removed - Default	CONFIGURATION MANAGEMENT
3.12 Ensure Server Header is removed - Applications	CONFIGURATION MANAGEMENT
3.12 Ensure Server Header is removed - Default	CONFIGURATION MANAGEMENT
4.1 Ensure 'maxAllowedContentLength' is configured - Applications	SYSTEM AND SERVICES ACQUISITION
4.1 Ensure 'maxAllowedContentLength' is configured - Default	SYSTEM AND SERVICES ACQUISITION
4.2 Ensure 'maxURL request filter' is configured - Applications	SYSTEM AND SERVICES ACQUISITION
4.2 Ensure 'maxURL request filter' is configured - Default	SYSTEM AND SERVICES ACQUISITION
4.3 Ensure 'MaxQueryString request filter' is configured - Applications	SYSTEM AND SERVICES ACQUISITION
4.3 Ensure 'MaxQueryString request filter' is configured - Default	SYSTEM AND SERVICES ACQUISITION
4.4 Ensure non-ASCII characters in URLs are not allowed - Applications	SYSTEM AND SERVICES ACQUISITION
4.4 Ensure non-ASCII characters in URLs are not allowed - Default	SYSTEM AND SERVICES ACQUISITION
7.1 Ensure HSTS Header is set - Server	ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
7.1 Ensure HSTS Header is set - Sites	ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
7.12 Ensure TLS Cipher Suite ordering is Configured	ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
CIS_MS_IIS_10_v1.2.1_Level_2.audit from CIS Microsoft IIS 10 Benchmark v1.2.1

Detections

Analytics

CIS IIS 10 v1.2.1 Level 2

Audit Details

File Details

Audit Items