| 1.1 Ensure web content is on non-system partition | CIS IIS 8.0 v1.5.1 Level 1 | Windows | CONFIGURATION MANAGEMENT |
| 1.1 Ensure Web Content Is on Non-System Partition | CIS IIS 7 L1 v1.8.0 | Windows | CONFIGURATION MANAGEMENT |
| 1.6 Ensure 'application pool identity' is configured for anonymous user identity | CIS IIS 7 L1 v1.8.0 | Windows | CONFIGURATION MANAGEMENT |
| 1.6 Ensure 'application pool identity' is configured for anonymous user identity | CIS IIS 8.0 v1.5.1 Level 1 | Windows | CONFIGURATION MANAGEMENT |
| 1.6 Ensure 'application pool identity' is configured for anonymous user identity | CIS IIS 10 v1.2.1 Level 1 | Windows | ACCESS CONTROL |
| 7.4 Ensure TLS 1.0 is enabled | CIS IIS 7 L1 v1.8.0 | Windows | |
| CIS Security Benchmark For Microsoft IIS 7.0/7.5 v1.8.0 Level I. | CIS IIS 7 L1 v1.8.0 | Windows | |
| CIS Security Benchmark For Microsoft IIS 7.0/7.5 v1.8.0 Level II. | CIS IIS 7 L2 v1.8.0 | Windows | |
| DISA_IIS_6.0_Web_Site_v6r16.audit from DISA Microsoft IIS 6.0 Site v6r16 STIG | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | |
| DISA_IIS_8.5_Web_Server_v2r7.audit from DISA Microsoft IIS 8.5 Server v2r7 STIG | DISA IIS 8.5 Server v2r7 | Windows | |
| DISA_IIS_8.5_Web_Site_v2r9.audit from DISA Microsoft IIS 8.5 Site v2r9 STIG | DISA IIS 8.5 Site v2r9 | Windows | |
| DISA_STIG_IIS_10.0_Web_Site_v2r10.audit from DISA Microsoft IIS 10.0 Site v2r10 STIG | DISA IIS 10.0 Site v2r10 | Windows | |
| IIST-SI-000201 - The IIS 10.0 website session state must be enabled. | DISA IIS 10.0 Site v2r10 | Windows | ACCESS CONTROL |
| IIST-SI-000202 - The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode. | DISA IIS 10.0 Site v2r10 | Windows | ACCESS CONTROL |
| IIST-SI-000203 - A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections. | DISA IIS 10.0 Site v2r10 | Windows | ACCESS CONTROL |
| IIST-SI-000204 - A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required. | DISA IIS 10.0 Site v2r10 | Windows | ACCESS CONTROL |
| IIST-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled. | DISA IIS 10.0 Site v2r10 | Windows | AUDIT AND ACCOUNTABILITY |
| IIST-SI-000214 - The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000217 - The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000223 - The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000224 - The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000226 - The IIS 10.0 website must be configured to limit the size of web requests. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000227 - The IIS 10.0 websites Maximum Query String limit must be configured. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000228 - Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000229 - Double encoded URL requests must be prohibited by any IIS 10.0 website. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000230 - Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000231 - Directory Browsing on the IIS 10.0 website must be disabled. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IIST-SI-000234 - Debugging and trace information used to diagnose the IIS 10.0 website must be disabled. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IIST-SI-000239 - The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000201 - The IIS 8.5 website session state must be enabled. | DISA IIS 8.5 Site v2r9 | Windows | ACCESS CONTROL |
| IISW-SI-000202 - The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode. | DISA IIS 8.5 Site v2r9 | Windows | ACCESS CONTROL |
| IISW-SI-000203 - A private IIS 8.5 website must only accept Secure Socket Layer connections. | DISA IIS 8.5 Site v2r9 | Windows | ACCESS CONTROL |
| IISW-SI-000204 - A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required. | DISA IIS 8.5 Site v2r9 | Windows | ACCESS CONTROL |
| IISW-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled. | DISA IIS 8.5 Site v2r9 | Windows | AUDIT AND ACCOUNTABILITY |
| IISW-SI-000210 - The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | DISA IIS 8.5 Site v2r9 | Windows | AUDIT AND ACCOUNTABILITY |
| IISW-SI-000214 - The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - MIME that invoke OS shell programs disabled | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000223 - The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000224 - The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000226 - The IIS 8.5 website must be configured to limit the size of web requests. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000227 - The IIS 8.5 websites Maximum Query String limit must be configured. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000228 - Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000229 - Double encoded URL requests must be prohibited by any IIS 8.5 website. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000230 - Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000231 - Directory Browsing on the IIS 8.5 website must be disabled. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IISW-SI-000234 - Debugging and trace information used to diagnose the IIS 8.5 website must be disabled. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IISW-SI-000239 - The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000246 - Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000531 - SharePoint sites must not use NTLM - SharePoint sites must not use NTLM. | DISA STIG SharePoint 2010 v1r9 | Windows | IDENTIFICATION AND AUTHENTICATION |
| SP13-00-000060 - SharePoint must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds - maxConnections | DISA STIG SharePoint 2013 v2r3 | Windows | CONFIGURATION MANAGEMENT |
| WA000-WI092 IIS6 - The IIS web site permissions 'Write' or 'Script Source' must not be selected. - 'Write permission check' | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | ACCESS CONTROL |
