| 1.1.1 Ensure Web Content Is on Non-System Partition | CONFIGURATION MANAGEMENT |
| 1.1.2 Require Host Headers on all Sites | CONFIGURATION MANAGEMENT |
| 1.1.3 Disable Directory Browsing | CONFIGURATION MANAGEMENT |
| 1.1.4 Configure all Application Pools to use Application Pool Identity | CONFIGURATION MANAGEMENT |
| 1.1.5 Ensure Unique Application Pools for Sites | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.1.6 Configure Anonymous User Identity to Use Application Pool Identity | CONFIGURATION MANAGEMENT |
| 1.2.1 Configure Global Authorization Rule to Restrict Access | ACCESS CONTROL |
| 1.2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - Applications | ACCESS CONTROL |
| 1.2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - Default | |
| 1.2.3 Require SSL in Forms Authentication - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.3 Require SSL in Forms Authentication - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.3 Require SSL in Forms Authentication - Not Enabled | |
| 1.2.5 Configure Cookie Protection Mode for Forms Authentication - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.5 Configure Cookie Protection Mode for Forms Authentication - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.5 Configure Cookie Protection Mode for Forms Authentication - Not Enabled | |
| 1.2.7 Configure SSL for Basic Authentication | IDENTIFICATION AND AUTHENTICATION |
| 1.2.8 Ensure passwordFormat Credentials Element Not Set To Clear - Applications | IDENTIFICATION AND AUTHENTICATION |
| 1.2.8 Ensure passwordFormat Credentials Element Not Set To Clear - Default | IDENTIFICATION AND AUTHENTICATION |
| 1.3.1 Set Deployment Method to Retail | CONFIGURATION MANAGEMENT |
| 1.3.7 Configure MachineKey Validation Method - .Net 3.5 - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3.7 Configure MachineKey Validation Method - .Net 3.5 - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3.8 Configure MachineKey Validation Method - .Net 4.5 | |
| 1.3.8 Configure MachineKey Validation Method - .Net 4.5 - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3.8 Configure MachineKey Validation Method - .Net 4.5 - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3.9 Configure Global .NET Trust Level | |
| 1.3.9 Configure Global .NET Trust Level - Applications | ACCESS CONTROL |
| 1.3.9 Configure Global .NET Trust Level - Default | ACCESS CONTROL |
| 1.3.10 Hide IIS HTTP Detailed Errors from Displaying Remotely | |
| 1.3.10 Hide IIS HTTP Detailed Errors from Displaying Remotely - Applications | SYSTEM AND INFORMATION INTEGRITY |
| 1.3.10 Hide IIS HTTP Detailed Errors from Displaying Remotely - Default | SYSTEM AND INFORMATION INTEGRITY |
| 1.4.5 Ensure Double-Encoded Requests will be Rejected - Applications | CONFIGURATION MANAGEMENT |
| 1.4.5 Ensure Double-Encoded Requests will be Rejected - Default | CONFIGURATION MANAGEMENT |
| 1.4.6 Disallow Unlisted File Extensions - Applications | CONFIGURATION MANAGEMENT |
| 1.4.6 Disallow Unlisted File Extensions - Default | CONFIGURATION MANAGEMENT |
| 1.4.7 Ensure Handler is not granted Write and Script/Execute - Applications | ACCESS CONTROL |
| 1.4.7 Ensure Handler is not granted Write and Script/Execute - Default | ACCESS CONTROL |
| 1.4.8 Ensure Configuration Attribute notListedIsapisAllowed set to false | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4.9 Ensure Configuration Attribute notListedCgisAllowed set to false | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4.10 Disable HTTP Trace Method - Applications | CONFIGURATION MANAGEMENT |
| 1.4.10 Disable HTTP Trace Method - Default | CONFIGURATION MANAGEMENT |
| 1.4.11 Enable Dynamic IP Address Restrictions | |
| 1.4.11 Enable Dynamic IP Address Restrictions - Deny By Conccurent Requests | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4.11 Enable Dynamic IP Address Restrictions - Deny By Request Rate | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4.11 Enable Dynamic IP Address Restrictions - Not Logging Only Mode | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.1 Move Default IIS Web Log Location | AUDIT AND ACCOUNTABILITY |
| 1.5.2 Enable Advanced IIS Logging | AUDIT AND ACCOUNTABILITY |
| 1.5.3 ETW Logging | |
| 1.5.3 ETW Logging - Default ETW | AUDIT AND ACCOUNTABILITY |
| 1.5.3 ETW Logging - Default W3C | AUDIT AND ACCOUNTABILITY |
| 1.5.3 ETW Logging - Sites logFormat W3C | AUDIT AND ACCOUNTABILITY |
