| 1.2 Ensure 'Host headers' are on all sites | CIS IIS 10 v1.2.1 Level 1 | Windows | SYSTEM AND SERVICES ACQUISITION |
| 3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Applications | CIS IIS 10 v1.2.1 Level 1 | Windows | SYSTEM AND SERVICES ACQUISITION |
| 4.1 Ensure 'maxAllowedContentLength' is configured | CIS IIS 8.0 v1.5.1 Level 2 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 4.1 Ensure 'maxAllowedContentLength' is configured - Applications | CIS IIS 7 L2 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 4.1 Ensure 'maxAllowedContentLength' is configured - Default | CIS IIS 7 L2 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure 'maxURL request filter' is configured - Applications | CIS IIS 7 L2 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure 'maxURL request filter' is configured - Default | CIS IIS 7 L2 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 10 Enterprise v3.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 11 Stand-alone v3.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 NG | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 11 Enterprise v3.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 11 Enterprise v3.0.0 L1 + BL | Windows | CONFIGURATION MANAGEMENT |
| 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + NG | Windows | CONFIGURATION MANAGEMENT |
| EX19-MB-000007 - Exchange must use encryption for Outlook Web App (OWA) access. | DISA Microsoft Exchange 2019 Mailbox Server STIG v2r2 | Windows | ACCESS CONTROL |
| HTTP TRACE method should be disabled. 'RewriteCond' | TNS IBM HTTP Server Best Practice Middleware | Unix | CONFIGURATION MANAGEMENT |
| HTTP TRACE method should be disabled. 'RewriteEngine' | TNS IBM HTTP Server Best Practice Middleware | Unix | CONFIGURATION MANAGEMENT |
| HTTP TRACE method should be disabled. 'RewriteLog' | TNS IBM HTTP Server Best Practice | Unix | CONFIGURATION MANAGEMENT |
| HTTP TRACE method should be disabled. 'RewriteLog' | TNS IBM HTTP Server Best Practice Middleware | Unix | CONFIGURATION MANAGEMENT |
| HTTP TRACE method should be disabled. 'RewriteLog' | TNS IBM HTTP Server Best Practice | Windows | AUDIT AND ACCOUNTABILITY |
| HTTP TRACE method should be disabled. 'RewriteLogLevel' | TNS IBM HTTP Server Best Practice | Unix | CONFIGURATION MANAGEMENT |
| HTTP TRACE method should be disabled. 'RewriteLogLevel' | TNS IBM HTTP Server Best Practice Middleware | Unix | CONFIGURATION MANAGEMENT |
| HTTP TRACE method should be disabled. 'TraceEnable' | TNS IBM HTTP Server Best Practice Middleware | Unix | CONFIGURATION MANAGEMENT |
| IIST-SI-000215 - Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000221 - Anonymous IIS 10.0 website access accounts must be restricted. | DISA IIS 10.0 Site v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000251 - The IIS 10.0 website must have a unique application pool. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000252 - The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000255 - The application pool for each IIS 10.0 website must have a recycle time explicitly set. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000258 - The application pools rapid fail protection for each IIS 10.0 website must be enabled. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000261 - Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000262 - Interactive scripts on the IIS 10.0 web server must have restrictive access controls. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000263 - Backup interactive scripts on the IIS 10.0 server must be removed. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000264 - The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | DISA IIS 10.0 Site v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000137 - The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key. | DISA IIS 10.0 Server v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000137 - The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key. | DISA IIS 10.0 Server v3r2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000215 - Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000221 - Anonymous IIS 8.5 website access accounts must be restricted. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IISW-SI-000251 - The IIS 8.5 website must have a unique application pool. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000252 - The maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000255 - The application pool for each IIS 8.5 website must have a recycle time explicitly set. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000256 - The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000257 - The application pools pinging monitor for each IIS 8.5 website must be enabled. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000259 - The application pools rapid fail protection settings for each IIS 8.5 website must be managed. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000261 - Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-000262 - Interactive scripts on the IIS 8.5 web server must have restrictive access controls. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SI-009999 - The version of IIS running on the system must be a supported version. | DISA IIS 8.5 Site v2r9 | Windows | SYSTEM AND INFORMATION INTEGRITY |
