DISA_IIS_10.0_Web_Server_v2r1.audit from DISA Microsoft IIS 10.0 Server v2r1 STIG

IIST-SV-000100 - The IIS 10.0 web server remote authors or content providers must only use secure encrypted logons and connections to upload web server content.

CAT|II

CCI|CCI-001453

Rule-ID|SV-218784r561041_rule

STIG-ID|IIST-SV-000100

STIG-Legacy|SV-109207

STIG-Legacy|V-100103

Vuln-ID|V-218784

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Date

800-53|AU-12

CCI|CCI-000130

CCI|CCI-000131

CCI|CCI-000132

CCI|CCI-000133

CCI|CCI-001462

CCI|CCI-001464

Rule-ID|SV-218785r561041_rule

STIG-ID|IIST-SV-000102

STIG-Legacy|SV-109209

STIG-Legacy|V-100105

Vuln-ID|V-218785

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field IP

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Method

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Query

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Referer

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Status

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Time

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field User

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Format W3C

800-53|AU-3

CSCv6|6.2

IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.

CCI|CCI-000139

CCI|CCI-001851

Rule-ID|SV-218786r561041_rule

STIG-ID|IIST-SV-000103

STIG-Legacy|SV-109211

STIG-Legacy|V-100107

Vuln-ID|V-218786

IIST-SV-000109 - An IIS 10.0 web server behind a load balancer or proxy server must produce log records containing the source client IP and destination information.

Rule-ID|SV-218787r561041_rule

STIG-ID|IIST-SV-000109

STIG-Legacy|SV-109213

STIG-Legacy|V-100109

Vuln-ID|V-218787

IIST-SV-000110 - The IIS 10.0 web server must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 web server events - Connection

CCI|CCI-000134

Rule-ID|SV-218788r561041_rule

STIG-ID|IIST-SV-000110

STIG-Legacy|SV-109215

STIG-Legacy|V-100111

Vuln-ID|V-218788

IIST-SV-000110 - The IIS 10.0 web server must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 web server events - Warning

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom Authorization

CCI|CCI-001487

Rule-ID|SV-218789r561041_rule

STIG-ID|IIST-SV-000111

STIG-Legacy|SV-109217

STIG-Legacy|V-100113

Vuln-ID|V-218789

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom Content-Type

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Referer

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - User Name

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - UserAgent

IIST-SV-000115 - The log information from the IIS 10.0 web server must be protected from unauthorized modification or deletion.

CCI|CCI-000164

Rule-ID|SV-218790r561041_rule

STIG-ID|IIST-SV-000115

STIG-Legacy|SV-109219

STIG-Legacy|V-100115

Vuln-ID|V-218790

IIST-SV-000116 - The log data and records from the IIS 10.0 web server must be backed up onto a different system or media.

CCI|CCI-001348

Rule-ID|SV-218791r561041_rule

STIG-ID|IIST-SV-000116

STIG-Legacy|SV-109221

STIG-Legacy|V-100117

Vuln-ID|V-218791

IIST-SV-000117 - The IIS 10.0 web server must not perform user management for hosted applications.

CCI|CCI-000381

Rule-ID|SV-218792r561041_rule

STIG-ID|IIST-SV-000117

STIG-Legacy|SV-109223

STIG-Legacy|V-100119

Vuln-ID|V-218792

IIST-SV-000118 - The IIS 10.0 web server must only contain functions necessary for operation.

800-53|CM-7

CSCv6|9.1

Rule-ID|SV-218793r561041_rule

STIG-ID|IIST-SV-000118

STIG-Legacy|SV-109225

STIG-Legacy|V-100121

Vuln-ID|V-218793

IIST-SV-000119 - The IIS 10.0 web server must not be both a website server and a proxy server.

Rule-ID|SV-218794r561041_rule

STIG-ID|IIST-SV-000119

STIG-Legacy|SV-109227

STIG-Legacy|V-100123

Vuln-ID|V-218794

IIST-SV-000120 - All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server.

CAT|I

Rule-ID|SV-218795r561041_rule

STIG-ID|IIST-SV-000120

STIG-Legacy|SV-109229

STIG-Legacy|V-100125

Vuln-ID|V-218795

IIST-SV-000121 - The accounts created by uninstalled features (i.e., tools, utilities, specific, etc.) must be deleted from the IIS 10.0 server.

800-53|IA-5

Rule-ID|SV-218796r561041_rule

STIG-ID|IIST-SV-000121

STIG-Legacy|SV-109231

STIG-Legacy|V-100127

Vuln-ID|V-218796

IIST-SV-000123 - The IIS 10.0 web server must be reviewed on a regular basis to remove any Operating System features, utility programs, plug-ins, and modules not necessary for operation.

Rule-ID|SV-218797r561041_rule

STIG-ID|IIST-SV-000123

STIG-Legacy|SV-109233

STIG-Legacy|V-100129

Vuln-ID|V-218797

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - bat

800-53|CM-7(4)

Rule-ID|SV-218798r561041_rule

STIG-ID|IIST-SV-000124

STIG-Legacy|SV-109235

STIG-Legacy|V-100131

Vuln-ID|V-218798

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - com

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - csh

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - dll

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - exe

IIST-SV-000125 - The IIS 10.0 web server must have Web Distributed Authoring and Versioning (WebDAV) disabled.

Rule-ID|SV-218799r561041_rule

STIG-ID|IIST-SV-000125

STIG-Legacy|SV-109237

STIG-Legacy|V-100133

Vuln-ID|V-218799

IIST-SV-000129 - The IIS 10.0 web server must perform RFC 5280-compliant certification path validation.

CCI|CCI-000185

Rule-ID|SV-218800r561041_rule

STIG-ID|IIST-SV-000129

STIG-Legacy|SV-109239

STIG-Legacy|V-100135

Vuln-ID|V-218800

IIST-SV-000130 - Java software installed on a production IIS 10.0 web server must be limited to .class files and the Java Virtual Machine.

CCI|CCI-001166

Rule-ID|SV-218801r561041_rule

STIG-ID|IIST-SV-000130

STIG-Legacy|SV-109241

STIG-Legacy|V-100137

Vuln-ID|V-218801

IIST-SV-000131 - IIS 10.0 Web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.

CCI|CCI-001082

Rule-ID|SV-218802r561041_rule

STIG-ID|IIST-SV-000131

STIG-Legacy|SV-109243

STIG-Legacy|V-100139

Vuln-ID|V-218802

IIST-SV-000132 - The IIS 10.0 web server must separate the hosted applications from hosted web server management functionality.

800-53|AC-6(4)

Rule-ID|SV-218803r561041_rule

STIG-ID|IIST-SV-000132

STIG-Legacy|SV-109245

STIG-Legacy|V-100141

Vuln-ID|V-218803

IIST-SV-000134 - The IIS 10.0 web server must use cookies to track session state.

800-53|CM-6

CCI|CCI-001664

CSCv6|3.1

Rule-ID|SV-218804r561041_rule

STIG-ID|IIST-SV-000134

STIG-Legacy|SV-109247

STIG-Legacy|V-100143

Vuln-ID|V-218804

IIST-SV-000135 - The IIS 10.0 web server must accept only system-generated session identifiers - sessionState

Rule-ID|SV-218805r561041_rule

STIG-ID|IIST-SV-000135

STIG-Legacy|SV-109249

STIG-Legacy|V-100145

Vuln-ID|V-218805

IIST-SV-000135 - The IIS 10.0 web server must accept only system-generated session identifiers - timeout

800-53|SC-23(3)

IIST-SV-000136 - The IIS 10.0 web server must augment re-creation to a stable and known baseline.

CCI|CCI-001190

Rule-ID|SV-218806r561041_rule

STIG-ID|IIST-SV-000136

STIG-Legacy|SV-109251

STIG-Legacy|V-100147

Vuln-ID|V-218806

IIST-SV-000137 - The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key - Encryption Method

800-53|SC-13

CCI|CCI-001199

Rule-ID|SV-218807r561041_rule

STIG-ID|IIST-SV-000137

STIG-Legacy|SV-109253

STIG-Legacy|V-100149

Vuln-ID|V-218807

IIST-SV-000137 - The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key - Validation Method

800-53|SC-8(1)

IIST-SV-000138 - Directory Browsing on the IIS 10.0 web server must be disabled.

Detections

Analytics

Revision 1.7

Dec 23, 2021

Functional Update