Detections
Analytics

CIS IIS 10 v1.1.1 Level 1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS IIS 10 v1.1.1 Level 1

Updated: 4/12/2023

Authority: Operating Systems and Applications

Plugin: Windows

Revision: 1.15

Estimated Item Count: 61

Audit Items

DescriptionCategories
1.1 Ensure web content is on non-system partition
1.2 Ensure 'host headers' are on all sites
1.3 Ensure 'directory browsing' is set to disabled
1.4 Ensure 'application pool identity' is configured for all application pools
1.5 Ensure 'unique application pools' is set for sites
1.6 Ensure 'application pool identity' is configured for anonymous user identity
1.7 Ensure WebDav feature is disabled
2.1 Ensure 'global authorization rule' is set to restrict access
2.2 Ensure access to sensitive site features is restricted to authenticated principals only
2.3 Ensure 'forms authentication' require SSL - Applications
2.3 Ensure 'forms authentication' require SSL - Default
2.5 Ensure 'cookie protection mode' is configured for forms authentication - Applications
2.5 Ensure 'cookie protection mode' is configured for forms authentication - Default
2.6 Ensure transport layer security for 'basic authentication' is configured
2.7 Ensure 'passwordFormat' is not set to clear - Applications
2.7 Ensure 'passwordFormat' is not set to clear - Default
3.1 Ensure 'deployment method retail' is set
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Applications
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Default
3.7 Ensure 'cookies' are set with HttpOnly attribute - Applications
3.7 Ensure 'cookies' are set with HttpOnly attribute - Default
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Applications
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Default
3.10 Ensure global .NET trust level is configured - Applications
3.10 Ensure global .NET trust level is configured - Default
4.5 Ensure Double-Encoded requests will be rejected - Applications
4.5 Ensure Double-Encoded requests will be rejected - Default
4.6 Ensure 'HTTP Trace Method' is disabled - Applications
4.6 Ensure 'HTTP Trace Method' is disabled - Default
4.7 Ensure Unlisted File Extensions are not allowed - Applications
4.7 Ensure Unlisted File Extensions are not allowed - Default
4.8 Ensure Handler is not granted Write and Script/Execute - Applications
4.8 Ensure Handler is not granted Write and Script/Execute - Default
4.9 Ensure 'notListedIsapisAllowed' is set to false
4.10 Ensure 'notListedCgisAllowed' is set to false
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent Requests
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - maxConcurrentRequests
5.1 Ensure Default IIS web log location is moved
5.2 Ensure Advanced IIS logging is enabled
5.3 Ensure 'ETW Logging' is enabled
5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C
5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C with ETW target
6.1 Ensure FTP requests are encrypted - Control Channel Default
6.1 Ensure FTP requests are encrypted - Control Channel Sites
6.1 Ensure FTP requests are encrypted - Data Channel Default
6.1 Ensure FTP requests are encrypted - Data Channel Sites
6.2 Ensure FTP Logon attempt restrictions is enabled
7.2 Ensure SSLv2 is Disabled
7.3 Ensure SSLv3 is Disabled
7.4 Ensure TLS 1.0 is Disabled