CIS IIS 7.0 L1 v1.7.1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS IIS 7.0 L1 v1.7.1

Updated: 4/24/2017

Authority: CIS

Plugin: Windows

Revision: 1.9

Estimated Item Count: 51

File Details

Filename: CIS_v1.7.1_MS_IIS_7_Level_1.audit

Size: 72.9 kB

MD5: 9fe9ae6ae830b2474c9ee1b11992dc44
SHA256: de2876f6ad5babad2965a08524e27a86e7fd7e8b631ca1b695ec1a683563338f

Audit Items

DescriptionCategories
1.1.1 Ensure Web Content Is on Non-System Partition

CONFIGURATION MANAGEMENT

1.1.2 Require Host Headers on all Sites

CONFIGURATION MANAGEMENT

1.1.3 Disable Directory Browsing

ACCESS CONTROL

1.1.4 Configure Application Pools to Run As Application Pool Identity

CONFIGURATION MANAGEMENT

1.1.5 Ensure Unique Application Pools for Sites

SYSTEM AND COMMUNICATIONS PROTECTION

1.1.6 Configure Anonymous User Identity to Use Application Pool Identity

ACCESS CONTROL

1.1.7 Stop non-used Application Pools

CONFIGURATION MANAGEMENT

1.1.11 Enable Dynamic IP Address Restrictions
1.2.1 Configure Global Authorization Rule to Restrict Access - add roles='administrators'

ACCESS CONTROL

1.2.1 Configure Global Authorization Rule to Restrict Access - remove users='*'

ACCESS CONTROL

1.2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only

ACCESS CONTROL

1.2.3 Require SSL in Forms Authentication

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.5 Configure Cookie Protection Mode for Forms Authentication

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.7 Configure SSL for Basic Authentication
1.2.8 Ensure passwordFormat Credentials Element Not Set To Clear

IDENTIFICATION AND AUTHENTICATION

1.3.1 Set Deployment Method to Retail

CONFIGURATION MANAGEMENT

1.3.4 ASP.NET stack tracing is Not Enabled

SYSTEM AND INFORMATION INTEGRITY

1.3.7 Configure MachineKey Validation Method - .Net 3.5

SYSTEM AND COMMUNICATIONS PROTECTION

1.3.8 Configure MachineKey Validation Method - .Net 4.5

SYSTEM AND COMMUNICATIONS PROTECTION

1.3.9 Configure Global .NET Trust Level

ACCESS CONTROL

1.3.10 Hide IIS HTTP Detailed Errors from Displaying Remotely

SYSTEM AND INFORMATION INTEGRITY

1.4.5 Ensure Double-Encoded Requests will be Rejected

CONFIGURATION MANAGEMENT

1.4.6 Disallow Unlisted File Extensions

CONFIGURATION MANAGEMENT

1.4.7 Ensure Handler is not granted Write and Script/Execute

ACCESS CONTROL

1.4.8 Ensure Configuration Attribute notListedIsapisAllowed set to false

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.9 Ensure Configuration Attribute notListedCgisAllowed set to false

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.10 Disable HTTP Trace Method

CONFIGURATION MANAGEMENT

1.5.1 Move Default IIS Web Log Location

AUDIT AND ACCOUNTABILITY

1.5.2 Enable Advanced IIS Logging

AUDIT AND ACCOUNTABILITY

1.6.1 Encrypt FTP Requests
1.7.1 Disable PCT 1.0 - 'DisabledByDefault = 1'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.1 Disable PCT 1.0 - 'Enabled = 0'

CONFIGURATION MANAGEMENT

1.7.2 Disable SSLv2 - 'DisabledByDefault = 1'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.2 Disable SSLv2 - 'Enabled = 0'

CONFIGURATION MANAGEMENT

1.7.3 Disable SSLv3 - 'DisabledByDefault = 1'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.3 Disable SSLv3 - 'Enabled = 0'

CONFIGURATION MANAGEMENT

1.7.4 Configure TLS 1.0 - 'DisabledByDefault = 0'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.4 Configure TLS 1.0 - 'Enabled = 0xFFFFFFFF'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.7 Disable NULL Cipher Suites

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.8 Disable DES Cipher Suites

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.9 Disable RC2 Cipher Suites - 'RC2 40/128'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.9 Disable RC2 Cipher Suites - 'RC2 56/128'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.10 Disable RC4 Cipher Suites - 'RC4 40/128'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.10 Disable RC4 Cipher Suites - 'RC4 56/128'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.10 Disable RC4 Cipher Suites - 'RC4 64/128'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.10 Disable RC4 Cipher Suites - 'RC4 128/128'

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.11 Configure Triple DES Cipher Suites

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.12 Configure AES 128/128 Cipher Suite

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.13 Enable AES 256/256 Cipher Suite

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.14 TLS Cipher Suite Ordering for 2008