| 2.4 Ensure 'forms authentication' is set to use cookies - Application | SYSTEM AND SERVICES ACQUISITION |
| 2.4 Ensure 'forms authentication' is set to use cookies - Default | SYSTEM AND SERVICES ACQUISITION |
| 2.8 Ensure 'credentials' are not stored in configuration files - Applications | IDENTIFICATION AND AUTHENTICATION |
| 2.8 Ensure 'credentials' are not stored in configuration files - Default | IDENTIFICATION AND AUTHENTICATION |
| 3.2 Ensure 'debug' is turned off - Applications | SYSTEM AND SERVICES ACQUISITION |
| 3.2 Ensure 'debug' is turned off - Default | SYSTEM AND SERVICES ACQUISITION |
| 3.3 Ensure custom error messages are not off - Applications | SYSTEM AND SERVICES ACQUISITION |
| 3.3 Ensure custom error messages are not off - Default | SYSTEM AND SERVICES ACQUISITION |
| 3.5 Ensure ASP.NET stack tracing is not enabled - Applications | SYSTEM AND SERVICES ACQUISITION |
| 3.5 Ensure ASP.NET stack tracing is not enabled - Default | SYSTEM AND SERVICES ACQUISITION |
| 3.6 Ensure 'httpcookie' mode is configured for session state - Applications | SYSTEM AND SERVICES ACQUISITION |
| 3.6 Ensure 'httpcookie' mode is configured for session state - Default | SYSTEM AND SERVICES ACQUISITION |
| 3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured - Applications | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured - Default | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.11 Ensure X-Powered-By Header is removed - Applications | CONFIGURATION MANAGEMENT |
| 3.11 Ensure X-Powered-By Header is removed - Default | CONFIGURATION MANAGEMENT |
| 3.12 Ensure Server Header is removed - Applications | CONFIGURATION MANAGEMENT |
| 3.12 Ensure Server Header is removed - Default | CONFIGURATION MANAGEMENT |
| 4.1 Ensure 'maxAllowedContentLength' is configured - Applications | SYSTEM AND SERVICES ACQUISITION |
| 4.1 Ensure 'maxAllowedContentLength' is configured - Default | SYSTEM AND SERVICES ACQUISITION |
| 4.2 Ensure 'maxURL request filter' is configured - Applications | SYSTEM AND SERVICES ACQUISITION |
| 4.2 Ensure 'maxURL request filter' is configured - Default | SYSTEM AND SERVICES ACQUISITION |
| 4.3 Ensure 'MaxQueryString request filter' is configured - Applications | SYSTEM AND SERVICES ACQUISITION |
| 4.3 Ensure 'MaxQueryString request filter' is configured - Default | SYSTEM AND SERVICES ACQUISITION |
| 4.4 Ensure non-ASCII characters in URLs are not allowed - Applications | SYSTEM AND SERVICES ACQUISITION |
| 4.4 Ensure non-ASCII characters in URLs are not allowed - Default | SYSTEM AND SERVICES ACQUISITION |
| 7.1 Ensure HSTS Header is set - Server | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1 Ensure HSTS Header is set - Sites | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.12 Ensure TLS Cipher Suite ordering is Configured | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| CIS_MS_IIS_10_v1.2.1_Level_2.audit from CIS Microsoft IIS 10 Benchmark v1.2.1 | |
