DISA IIS 7.0 Web Server v1r19

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA IIS 7.0 Web Server v1r19

Updated: 4/12/2023

Authority: DISA STIG

Plugin: Windows

Revision: 1.1

Estimated Item Count: 27

Audit Items

Description	Categories
DISA_IIS_7.0_Web_Server_v1r19.audit from DISA IIS 7.0 Server STIG v1r19 STIG
WA000-WI080 IIS7 - The use of Internet Printing Protocol (IPP) must be disabled on the IIS web server.	CONFIGURATION MANAGEMENT
WA000-WI091 - Directory Browsing must be disabled on the production web server.	CONFIGURATION MANAGEMENT
WA000-WI100 IIS7 - The File System Object component must be disabled.	CONFIGURATION MANAGEMENT
WA000-WI6100 - Unspecified file extensions must not be allowed to execute on the production web server - CGI	SYSTEM AND COMMUNICATIONS PROTECTION
WA000-WI6100 - Unspecified file extensions must not be allowed to execute on the production web server - ISAPI	SYSTEM AND COMMUNICATIONS PROTECTION
WA000-WI6120 - A global authorization rule to restrict access must exist on the web server.	ACCESS CONTROL
WA060 IIS7 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
WA070 IIS7 - A private web server must be located on a separate controlled access subnet.	SYSTEM AND COMMUNICATIONS PROTECTION
WA120 IIS7 - Administrative users and groups with access privilege to the web server must be documented.
WA155 - Classified web servers will be afforded physical security commensurate with the classification of its content.
WG040 IIS7 - Public web server resources must not be shared with private assets.	CONFIGURATION MANAGEMENT
WG060 IIS7 - The service account ID used to run the website must have its password changed at least annually.	IDENTIFICATION AND AUTHENTICATION
WG080 IIS7 - Installation of compilers on production web servers is prohibited.	CONFIGURATION MANAGEMENT
WG130 IIS7 - Programs and features not necessary for operations must be removed.	CONFIGURATION MANAGEMENT
WG145 IIS7 - The private web server must use an approved DoD certificate validation process.	SYSTEM AND COMMUNICATIONS PROTECTION
WG190 IIS7 - The web server must use a vendor-supported version of the web server software.	SYSTEM AND INFORMATION INTEGRITY
WG195 IIS7 - Anonymous access accounts must be restricted.	ACCESS CONTROL
WG200 W13 - Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities.	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WG204 IIS7 - A web server must not be co-hosted with other services.	CONFIGURATION MANAGEMENT
WG220 IIS7 - Access to web administration tools must be restricted to the web manager and the web managers designees.	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WG300 IIS7 - Web server system files must conform to minimum file permission requirements.	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WG330 IIS7 - A web server must limit e-mail to outbound only.	CONFIGURATION MANAGEMENT
WG385 IIS7 - All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.	CONFIGURATION MANAGEMENT
WG440 IIS7 - Monitoring software must include CGI type files or equivalent programs.
WG490 IIS7 - Java software installed on the production web server must be limited to .class files and the Java Virtual Machine.	CONFIGURATION MANAGEMENT
WGA500 - The installed version of IIS must be a supported version.

Detections

Analytics

DISA IIS 7.0 Web Server v1r19

Warning! Audit Deprecated

Audit Details

Audit Items