DISA IIS 10.0 Site v2r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA IIS 10.0 Site v2r1

Updated: 5/17/2022

Authority: Operating Systems and Applications

Plugin: Windows

Revision: 1.8

Estimated Item Count: 58

Audit Items

Description	Categories
DISA_IIS_10.0_Web_Site_v2r1.audit from DISA Microsoft IIS 10.0 Site v2r1 STIG
IIST-SI-000201 - The IIS 10.0 website session state must be enabled.	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000202 - The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.	CONFIGURATION MANAGEMENT
IIST-SI-000203 - A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000204 - A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.	AUDIT AND ACCOUNTABILITY
IIST-SI-000208 - An IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.
IIST-SI-000209 - The IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events - Connection	AUDIT AND ACCOUNTABILITY
IIST-SI-000209 - The IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events - Warning	AUDIT AND ACCOUNTABILITY
IIST-SI-000210 - The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom Authorization	AUDIT AND ACCOUNTABILITY
IIST-SI-000210 - The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom Content-Type	AUDIT AND ACCOUNTABILITY
IIST-SI-000210 - The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Referer	AUDIT AND ACCOUNTABILITY
IIST-SI-000210 - The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - User Agent	AUDIT AND ACCOUNTABILITY
IIST-SI-000210 - The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - User Name	AUDIT AND ACCOUNTABILITY
IIST-SI-000214 - The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - bat	CONFIGURATION MANAGEMENT
IIST-SI-000214 - The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - com	CONFIGURATION MANAGEMENT
IIST-SI-000214 - The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - csh	CONFIGURATION MANAGEMENT
IIST-SI-000214 - The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - dll	CONFIGURATION MANAGEMENT
IIST-SI-000214 - The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - exe	CONFIGURATION MANAGEMENT
IIST-SI-000215 - Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed.
IIST-SI-000216 - The IIS 10.0 website must have resource mappings set to disable the serving of certain file types.
IIST-SI-000217 - The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.	CONFIGURATION MANAGEMENT
IIST-SI-000219 - Each IIS 10.0 website must be assigned a default host header.	CONFIGURATION MANAGEMENT
IIST-SI-000220 - A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.	IDENTIFICATION AND AUTHENTICATION
IIST-SI-000221 - Anonymous IIS 10.0 website access accounts must be restricted - Anonymous username	ACCESS CONTROL
IIST-SI-000221 - Anonymous IIS 10.0 website access accounts must be restricted - Local System Groups	ACCESS CONTROL
IIST-SI-000223 - The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000224 - The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.	CONFIGURATION MANAGEMENT
IIST-SI-000225 - The IIS 10.0 website must be configured to limit the maxURL.	SYSTEM AND INFORMATION INTEGRITY
IIST-SI-000226 - The IIS 10.0 website must be configured to limit the size of web requests.	SYSTEM AND INFORMATION INTEGRITY
IIST-SI-000227 - The IIS 10.0 websites Maximum Query String limit must be configured.	SYSTEM AND INFORMATION INTEGRITY
IIST-SI-000228 - Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.	SYSTEM AND INFORMATION INTEGRITY
IIST-SI-000229 - Double encoded URL requests must be prohibited by any IIS 10.0 website.	CONFIGURATION MANAGEMENT
IIST-SI-000230 - Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website.	CONFIGURATION MANAGEMENT
IIST-SI-000231 - Directory Browsing on the IIS 10.0 website must be disabled.	CONFIGURATION MANAGEMENT
IIST-SI-000233 - Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.	SYSTEM AND INFORMATION INTEGRITY
IIST-SI-000234 - Debugging and trace information used to diagnose the IIS 10.0 website must be disabled.	SYSTEM AND INFORMATION INTEGRITY
IIST-SI-000235 - The Idle Time-out monitor for each IIS 10.0 website must be enabled.	ACCESS CONTROL
IIST-SI-000236 - The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.	ACCESS CONTROL
IIST-SI-000237 - The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
IIST-SI-000238 - The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.	AUDIT AND ACCOUNTABILITY
IIST-SI-000239 - The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.	CONFIGURATION MANAGEMENT
IIST-SI-000241 - The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
IIST-SI-000242 - The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000244 - IIS 10.0 website session IDs must be sent to the client using TLS.	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000246 - Cookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data - compressionEnabled	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000246 - Cookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data - requireSSL	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000251 - The IIS 10.0 website must have a unique application pool.	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000252 - The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set.	SYSTEM AND COMMUNICATIONS PROTECTION
IIST-SI-000255 - The application pool for each IIS 10.0 website must have a recycle time explicitly set - Regular Time Interval	CONFIGURATION MANAGEMENT

Detections

Analytics

DISA IIS 10.0 Site v2r1

Warning! Audit Deprecated

Audit Details

Audit Items