IISW-SV-000123 - The IIS 8.5 web server must be reviewed on a regular basis to remove any Operating System features, utility programs, plug-ins, and modules not necessary for operation.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome.

Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks. The web server installation process must provide options allowing the installer to choose which utility programs, services, and modules are to be installed or removed. By having a process for installation and removal, the web server is guaranteed to be in a more stable and secure state than if these services and programs were installed and removed manually.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remove all utility programs, Operating System features or modules which are installed but are not necessary for web server operation.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y20M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CAT|II, CCI|CCI-000381, CSCv6|9.1, Rule-ID|SV-214412r508658_rule, STIG-ID|IISW-SV-000123, STIG-Legacy|SV-91405, STIG-Legacy|V-76709, Vuln-ID|V-214412

Plugin: Windows

Control ID: 3084cc727b44f270ac533647d76408bc5c2d5ea87f815a4b27e4f5cb6082c1a4