| DISA_IIS_7.0_Web_Site_v1r19.audit from DISA IIS 7.0 Site STIG v1r19 STIG | |
| WA000-WI050 IIS7 - Unapproved script mappings in IIS 7 must be removed. | CONFIGURATION MANAGEMENT |
| WA000-WI070 IIS7 - Indexing Services must only index web content. | CONFIGURATION MANAGEMENT |
| WA000-WI090 IIS7 - Directory Browsing must be disabled. | CONFIGURATION MANAGEMENT |
| WA000-WI120 IIS7 - The Content Location header must not contain proprietary IP addresses. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI6010 IIS7 - The website must have a unique application pool. | CONFIGURATION MANAGEMENT |
| WA000-WI6020 IIS7 - The application pool must have a recycle time set. | CONFIGURATION MANAGEMENT |
| WA000-WI6022 IIS7 - The maximum number of requests an application pool can process must be set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI6024 IIS7 - The amount of virtual memory an application pool uses must be set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI6026 IIS7 - The amount of private memory an application pool uses must be set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI6028 IIS7 - The Idle Timeout monitor must be enabled. | ACCESS CONTROL |
| WA000-WI6030 IIS7 - The maximum queue length for HTTP.sys must be managed. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI6032 IIS7 - An application pool's pinging monitor must be enabled. | CONFIGURATION MANAGEMENT |
| WA000-WI6034 IIS7 - An application pool's rapid fail protection must be enabled. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI6036 IIS7 - An application pool's rapid fail protection settings must be managed. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI6040 IIS7 - The application pool identity must be defined for each web-site. | ACCESS CONTROL |
| WA000-WI6140 IIS7 - Debug must be turned off on a production website. | SYSTEM AND INFORMATION INTEGRITY |
| WA000-WI6165 - The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients. | SYSTEM AND INFORMATION INTEGRITY |
| WA000-WI6180 IIS7 - The production website must utilize SHA1 encryption for Machine Key. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI6200 - The production web-site must configure the Global .NET Trust Level. | ACCESS CONTROL |
| WA000-WI6210 - The web-site must limit the number of bytes accepted in a request. | SYSTEM AND INFORMATION INTEGRITY |
| WA000-WI6220 - The production web-site must limit the MaxURL. | SYSTEM AND INFORMATION INTEGRITY |
| WA000-WI6230 - The production web-site must configure the Maximum Query String limit. | SYSTEM AND INFORMATION INTEGRITY |
| WA000-WI6240 - The web-site must not allow non-ASCII characters in URLs. | SYSTEM AND INFORMATION INTEGRITY |
| WA000-WI6250 - The web-site must not allow double encoded URL requests. | CONFIGURATION MANAGEMENT |
| WA000-WI6260 - The production web-site must filter unlisted file extensions in URL requests. | CONFIGURATION MANAGEMENT |
| WG110 IIS7 - Web sites must limit the number of simultaneous requests. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG140 IIS7 - A private web-sites authentication mechanism must use client certificates. | IDENTIFICATION AND AUTHENTICATION |
| WG170 IIS7 - Each readable web document directory must contain a default, home, index, or equivalent document. | CONFIGURATION MANAGEMENT |
| WG205 IIS7 - The web document (home) directory must be in a separate partition from the web server's system files. | CONFIGURATION MANAGEMENT |
| WG210 IIS7 - Web content directories must not be anonymously shared. | ACCESS CONTROL |
| WG230 IIS7 - Web server/site administration must be performed over a secure path. | |
| WG235 - Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory. | ACCESS CONTROL |
| WG240 IIS7 - Web-site logging must be enabled. | AUDIT AND ACCOUNTABILITY |
| WG242 IIS7 - Log files must consist of the required data fields. | AUDIT AND ACCOUNTABILITY |
| WG255 IIS7 - Access to the web-site log files must be restricted. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WG260 - Only web sites that have been fully reviewed and tested will exist on a production web server. | |
| WG265 IIS7 - The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | |
| WG290 IIS7 - Access to the web content and script directories must be restricted. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WG310 IIS7 - A web site must not contain a robots.txt file. | CONFIGURATION MANAGEMENT |
| WG340 IIS7 - A private web server must utilize an approved TLS version. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| WG342 IIS7 - Public web servers must use TLS if authentication is required. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG350 IIS7 - A private web server must have a valid server certificate. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG355 IIS7 - A private web-site must utilize certificates from a trusted DoD CA. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG400 IIS7 - All interactive programs must be placed in unique designated folders. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WG410 IIS7 - All interactive programs must have restrictive access controls. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WG420 IIS7 - Backup interactive scripts must be removed from the web site. | CONFIGURATION MANAGEMENT |
| WG500 - The installed version of IIS must be a supported version. | |
| WG520 IIS7 - All web-sites must be assigned a default Host header. | CONFIGURATION MANAGEMENT |
| WG610 IIS7 - Web sites must utilize ports, protocols, and services according to PPSM guidelines. | CONFIGURATION MANAGEMENT |
