| DISA_IIS_8.5_Web_Site_v2r9.audit from DISA Microsoft IIS 8.5 Site v2r9 STIG | |
| IISW-SI-000201 - The IIS 8.5 website session state must be enabled. | ACCESS CONTROL |
| IISW-SI-000202 - The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode. | ACCESS CONTROL |
| IISW-SI-000203 - A private IIS 8.5 website must only accept Secure Socket Layer connections. | ACCESS CONTROL |
| IISW-SI-000204 - A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required. | ACCESS CONTROL |
| IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session | AUDIT AND ACCOUNTABILITY |
| IISW-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled. | AUDIT AND ACCOUNTABILITY |
| IISW-SI-000208 - An IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information. | AUDIT AND ACCOUNTABILITY |
| IISW-SI-000209 - The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events - success or failure of IIS 8.5 website events | AUDIT AND ACCOUNTABILITY |
| IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | AUDIT AND ACCOUNTABILITY |
| IISW-SI-000214 - The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - MIME that invoke OS shell programs disabled | CONFIGURATION MANAGEMENT |
| IISW-SI-000215 - Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed. | CONFIGURATION MANAGEMENT |
| IISW-SI-000216 - The IIS 8.5 website must have resource mappings set to disable the serving of certain file types. | CONFIGURATION MANAGEMENT |
| IISW-SI-000217 - The IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled. | CONFIGURATION MANAGEMENT |
| IISW-SI-000219 - Each IIS 8.5 website must be assigned a default host header. | CONFIGURATION MANAGEMENT |
| IISW-SI-000220 - A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity. | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000221 - Anonymous IIS 8.5 website access accounts must be restricted. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000223 - The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000224 - The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000225 - The IIS 8.5 website must be configured to limit the maxURL. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000226 - The IIS 8.5 website must be configured to limit the size of web requests. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000227 - The IIS 8.5 websites Maximum Query String limit must be configured. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000228 - Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000229 - Double encoded URL requests must be prohibited by any IIS 8.5 website. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000230 - Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000231 - Directory Browsing on the IIS 8.5 website must be disabled. | SYSTEM AND INFORMATION INTEGRITY |
| IISW-SI-000233 - Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths. | SYSTEM AND INFORMATION INTEGRITY |
| IISW-SI-000234 - Debugging and trace information used to diagnose the IIS 8.5 website must be disabled. | SYSTEM AND INFORMATION INTEGRITY |
| IISW-SI-000235 - The Idle Time-out monitor for each IIS 8.5 website must be enabled. | ACCESS CONTROL |
| IISW-SI-000236 - The IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session. | ACCESS CONTROL |
| IISW-SI-000237 - The IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications. | ACCESS CONTROL |
| IISW-SI-000238 - The IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website. | AUDIT AND ACCOUNTABILITY |
| IISW-SI-000239 - The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines. | CONFIGURATION MANAGEMENT |
| IISW-SI-000241 - The IIS 8.5 private website have a server certificate issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000242 - The IIS 8.5 private website must employ cryptographic mechanisms (TLS) and require client certificates. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000244 - IIS 8.5 website session IDs must be sent to the client using TLS. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000246 - Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000249 - The IIS 8.5 website must maintain the confidentiality and integrity of information during preparation for transmission and during reception. | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000251 - The IIS 8.5 website must have a unique application pool. | CONFIGURATION MANAGEMENT |
| IISW-SI-000252 - The maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set. | CONFIGURATION MANAGEMENT |
| IISW-SI-000255 - The application pool for each IIS 8.5 website must have a recycle time explicitly set. | CONFIGURATION MANAGEMENT |
| IISW-SI-000256 - The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured. | CONFIGURATION MANAGEMENT |
| IISW-SI-000257 - The application pools pinging monitor for each IIS 8.5 website must be enabled. | CONFIGURATION MANAGEMENT |
| IISW-SI-000258 - The application pools rapid fail protection for each IIS 8.5 website must be enabled. | CONFIGURATION MANAGEMENT |
| IISW-SI-000259 - The application pools rapid fail protection settings for each IIS 8.5 website must be managed. | CONFIGURATION MANAGEMENT |
| IISW-SI-000261 - Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders. | CONFIGURATION MANAGEMENT |
| IISW-SI-000262 - Interactive scripts on the IIS 8.5 web server must have restrictive access controls. | CONFIGURATION MANAGEMENT |
| IISW-SI-000263 - Backup interactive scripts on the IIS 8.5 server must be removed. | CONFIGURATION MANAGEMENT |
| IISW-SI-000264 - The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | CONFIGURATION MANAGEMENT |
| IISW-SI-009999 - The version of IIS running on the system must be a supported version. | SYSTEM AND INFORMATION INTEGRITY |
