DISA_IIS_8.5_Web_Site_v2r7.audit from DISA Microsoft IIS 8.5 Site v2r7 STIG

IISW-SI-000201 - The IIS 8.5 website session state must be enabled.

CAT|II

CCI|CCI-000054

Rule-ID|SV-214444r879511_rule

STIG-ID|IISW-SI-000201

STIG-Legacy|SV-91471

STIG-Legacy|V-76775

Vuln-ID|V-214444

IISW-SI-000202 - The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.

Rule-ID|SV-214445r879511_rule

STIG-ID|IISW-SI-000202

STIG-Legacy|SV-91473

STIG-Legacy|V-76777

Vuln-ID|V-214445

IISW-SI-000203 - A private IIS 8.5 website must only accept Secure Socket Layer connections.

CCI|CCI-000068

Rule-ID|SV-214446r879519_rule

STIG-ID|IISW-SI-000203

STIG-Legacy|SV-91475

STIG-Legacy|V-76779

Vuln-ID|V-214446

IISW-SI-000204 - A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.

Rule-ID|SV-214447r879519_rule

STIG-ID|IISW-SI-000204

STIG-Legacy|SV-91477

STIG-Legacy|V-76781

Vuln-ID|V-214447

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field Client IP Address

CCI|CCI-001462

CCI|CCI-001464

Rule-ID|SV-214448r879562_rule

STIG-ID|IISW-SI-000205

STIG-Legacy|SV-91479

STIG-Legacy|V-76783

Vuln-ID|V-214448

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field Date

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field Method

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field Protocol Status

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field Referer

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field Time

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field URI Query

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field User Name

IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Format W3C

IISW-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.

CCI|CCI-000139

Rule-ID|SV-214449r879562_rule

STIG-ID|IISW-SI-000206

STIG-Legacy|SV-91481

STIG-Legacy|V-76785

Vuln-ID|V-214449

IISW-SI-000208 - An IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information.

CCI|CCI-000133

Rule-ID|SV-214450r879566_rule

STIG-ID|IISW-SI-000208

STIG-Legacy|SV-91483

STIG-Legacy|V-76787

Vuln-ID|V-214450

IISW-SI-000209 - The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events - Connection

CCI|CCI-000134

Rule-ID|SV-214451r879567_rule

STIG-ID|IISW-SI-000209

STIG-Legacy|SV-91485

STIG-Legacy|V-76789

Vuln-ID|V-214451

IISW-SI-000209 - The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events - Warning

IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom Authorization

CCI|CCI-001487

Rule-ID|SV-214452r879568_rule

STIG-ID|IISW-SI-000210

STIG-Legacy|SV-91487

STIG-Legacy|V-76791

Vuln-ID|V-214452

IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom Content-Type

IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom HTTP_USER_AGENT

IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom User-Agent

IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Referer

IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - User Agent

IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - User Name

IISW-SI-000214 - The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - bat

CCI|CCI-000381

Rule-ID|SV-214454r879587_rule

STIG-ID|IISW-SI-000214

STIG-Legacy|SV-91493

STIG-Legacy|V-76797

Vuln-ID|V-214454

IISW-SI-000214 - The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - com

IISW-SI-000214 - The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - csh

IISW-SI-000214 - The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - dll

IISW-SI-000214 - The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - exe

IISW-SI-000215 - Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed.

Rule-ID|SV-214455r879587_rule

STIG-ID|IISW-SI-000215

STIG-Legacy|SV-91495

STIG-Legacy|V-76799

Vuln-ID|V-214455

IISW-SI-000216 - The IIS 8.5 website must have resource mappings set to disable the serving of certain file types.

Rule-ID|SV-214456r879587_rule

STIG-ID|IISW-SI-000216

STIG-Legacy|SV-91497

STIG-Legacy|V-76801

Vuln-ID|V-214456

IISW-SI-000217 - The IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.

Rule-ID|SV-214457r879587_rule

STIG-ID|IISW-SI-000217

STIG-Legacy|SV-91499

STIG-Legacy|V-76803

Vuln-ID|V-214457

IISW-SI-000219 - Each IIS 8.5 website must be assigned a default host header.

CCI|CCI-000382

Rule-ID|SV-214459r879588_rule

STIG-ID|IISW-SI-000219

STIG-Legacy|SV-91503

STIG-Legacy|V-76807

Vuln-ID|V-214459

IISW-SI-000220 - A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.

CCI|CCI-000197

CCI|CCI-001188

CCI|CCI-002470

Rule-ID|SV-214460r879609_rule

STIG-ID|IISW-SI-000220

STIG-Legacy|SV-91505

STIG-Legacy|V-76809

Vuln-ID|V-214460

IISW-SI-000221 - Anonymous IIS 8.5 website access accounts must be restricted - Anonymous username

CAT|I

CCI|CCI-001082

Rule-ID|SV-214461r879631_rule

STIG-ID|IISW-SI-000221

STIG-Legacy|SV-91507

STIG-Legacy|V-76811

Vuln-ID|V-214461

IISW-SI-000221 - Anonymous IIS 8.5 website access accounts must be restricted - Local System Groups

IISW-SI-000223 - The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced.

Rule-ID|SV-214462r879639_rule

STIG-ID|IISW-SI-000223

STIG-Legacy|SV-91509

STIG-Legacy|V-76813

Vuln-ID|V-214462

IISW-SI-000224 - The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files.

CCI|CCI-001084

Rule-ID|SV-214463r879643_rule

STIG-ID|IISW-SI-000224

STIG-Legacy|SV-91511

STIG-Legacy|V-76815

Vuln-ID|V-214463

IISW-SI-000225 - The IIS 8.5 website must be configured to limit the maxURL.

CCI|CCI-001094

Rule-ID|SV-214464r879650_rule

STIG-ID|IISW-SI-000225

STIG-Legacy|SV-91513

STIG-Legacy|V-76817

Vuln-ID|V-214464

IISW-SI-000226 - The IIS 8.5 website must be configured to limit the size of web requests.

Rule-ID|SV-214465r879650_rule

STIG-ID|IISW-SI-000226

STIG-Legacy|SV-91515

STIG-Legacy|V-76819

Vuln-ID|V-214465

IISW-SI-000227 - The IIS 8.5 websites Maximum Query String limit must be configured.

Rule-ID|SV-214466r879650_rule

STIG-ID|IISW-SI-000227

STIG-Legacy|SV-91517

STIG-Legacy|V-76821

Vuln-ID|V-214466

IISW-SI-000228 - Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website.

Rule-ID|SV-214467r879650_rule

STIG-ID|IISW-SI-000228

STIG-Legacy|SV-91519

STIG-Legacy|V-76823

Vuln-ID|V-214467

IISW-SI-000229 - Double encoded URL requests must be prohibited by any IIS 8.5 website.

Rule-ID|SV-214468r879650_rule

STIG-ID|IISW-SI-000229

STIG-Legacy|SV-91521

STIG-Legacy|V-76825

Vuln-ID|V-214468

IISW-SI-000230 - Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website.

Rule-ID|SV-214469r879650_rule

STIG-ID|IISW-SI-000230

STIG-Legacy|SV-91523

STIG-Legacy|V-76827

Vuln-ID|V-214469

IISW-SI-000231 - Directory Browsing on the IIS 8.5 website must be disabled.

CCI|CCI-001310

Rule-ID|SV-214470r879652_rule

STIG-ID|IISW-SI-000231

STIG-Legacy|SV-91525

STIG-Legacy|V-76829

Vuln-ID|V-214470

IISW-SI-000233 - Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths.

CCI|CCI-001312

Rule-ID|SV-214472r879655_rule

STIG-ID|IISW-SI-000233

STIG-Legacy|SV-91531

STIG-Legacy|V-76835

Vuln-ID|V-214472

IISW-SI-000234 - Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.

Detections

Analytics

Revision 1.2

Jul 24, 2023

Functional Update