IIST-SI-000219 - Each IIS 10.0 website must be assigned a default host header.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to use, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address.

Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Note: If the server being reviewed is hosting SharePoint, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Right-click on the site name under review.

Select 'Edit Bindings'.

Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

Click 'OK'.

Select 'Apply' from the 'Actions' pane.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y24M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000382, Rule-ID|SV-218748r879588_rule, STIG-ID|IIST-SI-000219, STIG-Legacy|SV-109321, STIG-Legacy|V-100217, Vuln-ID|V-218748

Plugin: Windows

Control ID: 21c4db8bddae50df8f2281f61a6da1da3342154d7f32f5182c884634710ce530