Detections
Analytics

CIS IIS 10 v1.2.1 Level 1

Audit Details

Name: CIS IIS 10 v1.2.1 Level 1

Updated: 5/13/2025

Authority: CIS

Plugin: Windows

Revision: 1.5

Estimated Item Count: 61

File Details

Filename: CIS_MS_IIS_10_v1.2.1_Level_1.audit

Size: 274 kB

MD5: ca589b3954d6495e0cc31c18a7290e48
SHA256: d8e9d612535c41381ebe7e691e9d7c5f192cb65e89ce8bf58a80674e0f34a397

Audit Items

DescriptionCategories
1.1 Ensure 'Web content' is on non-system partition

ACCESS CONTROL

1.2 Ensure 'Host headers' are on all sites

SYSTEM AND SERVICES ACQUISITION

1.3 Ensure 'Directory browsing' is set to Disabled

CONFIGURATION MANAGEMENT

1.4 Ensure 'application pool identity' is configured for all application pools

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.5 Ensure 'unique application pools' is set for sites

ACCESS CONTROL

1.6 Ensure 'application pool identity' is configured for anonymous user identity

ACCESS CONTROL

1.7 Ensure' WebDav' feature is disabled

CONFIGURATION MANAGEMENT, PLANNING, SYSTEM AND SERVICES ACQUISITION

2.1 Ensure 'global authorization rule' is set to restrict access

ACCESS CONTROL, MEDIA PROTECTION

2.2 Ensure access to sensitive site features is restricted to authenticated principals only

ACCESS CONTROL

2.3 Ensure 'forms authentication' require SSL - Applications

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Ensure 'forms authentication' require SSL - Default

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure 'cookie protection mode' is configured for forms authentication - Applications

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure 'cookie protection mode' is configured for forms authentication - Default

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Ensure transport layer security for 'basic authentication' is configured

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Ensure 'passwordFormat' is not set to clear - Applications

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Ensure 'passwordFormat' is not set to clear - Default

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ensure 'deployment method retail' is set

SYSTEM AND SERVICES ACQUISITION

3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Applications

SYSTEM AND SERVICES ACQUISITION

3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Default

SYSTEM AND SERVICES ACQUISITION

3.7 Ensure 'cookies' are set with HttpOnly attribute - Applications

SYSTEM AND SERVICES ACQUISITION

3.7 Ensure 'cookies' are set with HttpOnly attribute - Default

SYSTEM AND SERVICES ACQUISITION

3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Applications

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Default

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.10 Ensure global .NET trust level is configured - Applications

ACCESS CONTROL, MEDIA PROTECTION

3.10 Ensure global .NET trust level is configured - Default

ACCESS CONTROL, MEDIA PROTECTION

4.5 Ensure Double-Encoded requests will be rejected - Applications

SYSTEM AND INFORMATION INTEGRITY

4.5 Ensure Double-Encoded requests will be rejected - Default

SYSTEM AND INFORMATION INTEGRITY

4.6 Ensure 'HTTP Trace Method' is disabled - Applications

SYSTEM AND SERVICES ACQUISITION

4.6 Ensure 'HTTP Trace Method' is disabled - Default

SYSTEM AND SERVICES ACQUISITION

4.7 Ensure Unlisted File Extensions are not allowed - Applications

SYSTEM AND SERVICES ACQUISITION

4.7 Ensure Unlisted File Extensions are not allowed - Default

SYSTEM AND SERVICES ACQUISITION

4.8 Ensure Handler is not granted Write and Script/Execute - Applications

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

4.8 Ensure Handler is not granted Write and Script/Execute - Default

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

4.9 Ensure 'notListedIsapisAllowed' is set to false

SYSTEM AND SERVICES ACQUISITION

4.10 Ensure 'notListedCgisAllowed' is set to false

SYSTEM AND SERVICES ACQUISITION

4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent Requests

SYSTEM AND COMMUNICATIONS PROTECTION

4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - maxConcurrentRequests

SYSTEM AND COMMUNICATIONS PROTECTION

5.1 Ensure Default IIS web log location is moved

AUDIT AND ACCOUNTABILITY

5.2 Ensure Advanced IIS logging is enabled

AUDIT AND ACCOUNTABILITY

5.3 Ensure 'ETW Logging' is enabled

AUDIT AND ACCOUNTABILITY

5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C

AUDIT AND ACCOUNTABILITY

5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C with ETW target

AUDIT AND ACCOUNTABILITY

6.1 Ensure FTP requests are encrypted - Control Channel Default

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure FTP requests are encrypted - Control Channel Sites

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure FTP requests are encrypted - Data Channel Default

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure FTP requests are encrypted - Data Channel Sites

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Ensure FTP Logon attempt restrictions is enabled

SYSTEM AND INFORMATION INTEGRITY

7.2 Ensure SSLv2 is Disabled

SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure SSLv3 is Disabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.4 Ensure TLS 1.0 is Disabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION