| 1.1 Ensure web content is on non-system partition | CONFIGURATION MANAGEMENT |
| 1.2 Ensure 'host headers' are on all sites | CONFIGURATION MANAGEMENT |
| 1.3 Ensure 'directory browsing' is set to disabled | CONFIGURATION MANAGEMENT |
| 1.4 Ensure 'application pool identity' is configured for all application pools | ACCESS CONTROL |
| 1.5 Ensure 'unique application pools' is set for sites | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6 Ensure 'application pool identity' is configured for anonymous user identity | CONFIGURATION MANAGEMENT |
| 1.7 Ensure WebDav feature is disabled | CONFIGURATION MANAGEMENT |
| 2.1 Ensure 'global authorization rule' is set to restrict access | ACCESS CONTROL |
| 2.2 Ensure access to sensitive site features is restricted to authenticated principals only - Applications | ACCESS CONTROL |
| 2.2 Ensure access to sensitive site features is restricted to authenticated principals only - Default | |
| 2.3 Ensure 'forms authentication' require SSL - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure 'forms authentication' require SSL - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure 'cookie protection mode' is configured for forms authentication - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure 'cookie protection mode' is configured for forms authentication - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure transport layer security for 'basic authentication' is configured | IDENTIFICATION AND AUTHENTICATION |
| 2.7 Ensure 'passwordFormat' is not set to clear - Applications | IDENTIFICATION AND AUTHENTICATION |
| 2.7 Ensure 'passwordFormat' is not set to clear - Default | IDENTIFICATION AND AUTHENTICATION |
| 3.1 Ensure 'deployment method retail' is set | CONFIGURATION MANAGEMENT |
| 3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Applications | SYSTEM AND INFORMATION INTEGRITY |
| 3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Default | SYSTEM AND INFORMATION INTEGRITY |
| 3.7 Ensure 'cookies' are set with HttpOnly attribute - Applications | ACCESS CONTROL |
| 3.7 Ensure 'cookies' are set with HttpOnly attribute - Default | ACCESS CONTROL |
| 3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.10 Ensure global .NET trust level is configured - Applications | ACCESS CONTROL |
| 3.10 Ensure global .NET trust level is configured - Default | ACCESS CONTROL |
| 4.5 Ensure Double-Encoded requests will be rejected - Applications | CONFIGURATION MANAGEMENT |
| 4.5 Ensure Double-Encoded requests will be rejected - Default | CONFIGURATION MANAGEMENT |
| 4.6 Ensure 'HTTP Trace Method' is disabled - Applications | CONFIGURATION MANAGEMENT |
| 4.6 Ensure 'HTTP Trace Method' is disabled - Default | CONFIGURATION MANAGEMENT |
| 4.7 Ensure Unlisted File Extensions are not allowed - Applications | CONFIGURATION MANAGEMENT |
| 4.7 Ensure Unlisted File Extensions are not allowed - Default | CONFIGURATION MANAGEMENT |
| 4.8 Ensure Handler is not granted Write and Script/Execute - Applications | ACCESS CONTROL |
| 4.8 Ensure Handler is not granted Write and Script/Execute - Default | ACCESS CONTROL |
| 4.9 Ensure 'notListedIsapisAllowed' is set to false | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.10 Ensure 'notListedCgisAllowed' is set to false | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent Requests | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - maxConcurrentRequests | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Ensure Default IIS web log location is moved | AUDIT AND ACCOUNTABILITY |
| 5.2 Ensure Advanced IIS logging is enabled | |
| 5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C | AUDIT AND ACCOUNTABILITY |
| 5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C with ETW target | AUDIT AND ACCOUNTABILITY |
| 5.3 Ensure 'ETW Logging' is enabled. | AUDIT AND ACCOUNTABILITY |
| 6.1 Ensure FTP requests are encrypted - Control Channel Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Ensure FTP requests are encrypted - Control Channel Sites | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Ensure FTP requests are encrypted - Data Channel Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Ensure FTP requests are encrypted - Data Channel Sites | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Ensure FTP Logon attempt restrictions is enabled | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure SSLv2 is disabled | CONFIGURATION MANAGEMENT |
| 7.3 Ensure SSLv3 is disabled | CONFIGURATION MANAGEMENT |
