| 1.1 Ensure Web Content Is on Non-System Partition | CONFIGURATION MANAGEMENT |
| 1.2 Ensure 'host headers' are on all sites | CONFIGURATION MANAGEMENT |
| 1.3 Ensure 'directory browsing' is set to disabled | CONFIGURATION MANAGEMENT |
| 1.4 Ensure 'application pool identity' is configured for all application pools | ACCESS CONTROL |
| 1.5 Ensure 'unique application pools' is set for sites | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6 Ensure 'application pool identity' is configured for anonymous user identity | CONFIGURATION MANAGEMENT |
| 2.1 Ensure 'global authorization rule' is set to restrict access | ACCESS CONTROL |
| 2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - Applications | ACCESS CONTROL |
| 2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - Default | |
| 2.3 Ensure 'forms authentication' require SSL - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure 'forms authentication' require SSL - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure 'forms authentication' require SSL - Not Enabled | |
| 2.5 Ensure 'cookie protection mode' is configured for forms authentication - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure 'cookie protection mode' is configured for forms authentication - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure 'cookie protection mode' is configured for forms authentication - Not Enabled | |
| 2.6 Ensure transport layer security for 'basic authentication' is configured | IDENTIFICATION AND AUTHENTICATION |
| 2.7 Ensure 'passwordFormat' is not set to clear | |
| 2.7 Ensure 'passwordFormat' is not set to clear - Applications | IDENTIFICATION AND AUTHENTICATION |
| 2.7 Ensure 'passwordFormat' is not set to clear - Default | IDENTIFICATION AND AUTHENTICATION |
| 3.1 Ensure 'deployment method retail' is set | CONFIGURATION MANAGEMENT |
| 3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Applications | SYSTEM AND INFORMATION INTEGRITY |
| 3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Default | SYSTEM AND INFORMATION INTEGRITY |
| 3.8 Configure MachineKey Validation Method - .Net 3.5 - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Configure MachineKey Validation Method - .Net 3.5 - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured | |
| 3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.10 Ensure global .NET trust level is configured | |
| 3.10 Ensure global .NET trust level is configured - Applications | ACCESS CONTROL |
| 3.10 Ensure global .NET trust level is configured - Default | ACCESS CONTROL |
| 4.5 Ensure Double-Encoded Requests will be Rejected - Applications | CONFIGURATION MANAGEMENT |
| 4.5 Ensure Double-Encoded Requests will be Rejected - Default | CONFIGURATION MANAGEMENT |
| 4.6 Ensure 'HTTP Trace Method' is disabled - Applications | CONFIGURATION MANAGEMENT |
| 4.6 Ensure 'HTTP Trace Method' is disabled - Default | CONFIGURATION MANAGEMENT |
| 4.7 Ensure Unlisted File Extensions are not allowed - Applications | CONFIGURATION MANAGEMENT |
| 4.7 Ensure Unlisted File Extensions are not allowed - Default | CONFIGURATION MANAGEMENT |
| 4.8 Ensure Handler is not granted Write and Script/Execute - Applications | ACCESS CONTROL |
| 4.8 Ensure Handler is not granted Write and Script/Execute - Default | ACCESS CONTROL |
| 4.9 Ensure 'notListedIsapisAllowed' is set to false | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.10 Ensure 'notListedCgisAllowed' is set to false | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled | |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Conccurent Requests | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Request Rate | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Not Logging Only Mode | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Ensure Default IIS web log location is moved | AUDIT AND ACCOUNTABILITY |
| 5.2 Ensure Advanced IIS logging is enabled | AUDIT AND ACCOUNTABILITY |
| 6.1 Ensure FTP requests are encrypted - Control Channel | |
| 6.1 Ensure FTP requests are encrypted - Control Channel Default | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Ensure FTP requests are encrypted - Control Channel Sites | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Ensure FTP requests are encrypted - Data Channel Default | SYSTEM AND COMMUNICATIONS PROTECTION |
