CIS IIS 10 v1.1.1 Level 1

Audit Details

Name: CIS IIS 10 v1.1.1 Level 1

Updated: 4/25/2022

Authority: CIS

Plugin: Windows

Revision: 1.10

Estimated Item Count: 61

File Details

Filename: CIS_v1.1.1_MS_IIS_10_Level_1.audit

Size: 205 kB

MD5: aa35d6cecb214f876da91f29f0cf07bc
SHA256: bd09d99707f6ffb82f7b6e69bf713791fc74fd6be7f8ba9136715706677459e5

Audit Items

DescriptionCategories
1.1 Ensure web content is on non-system partition

ACCESS CONTROL

1.2 Ensure 'host headers' are on all sites

SYSTEM AND SERVICES ACQUISITION

1.3 Ensure 'directory browsing' is set to disabled

SYSTEM AND SERVICES ACQUISITION

1.4 Ensure 'application pool identity' is configured for all application pools

SYSTEM AND SERVICES ACQUISITION

1.5 Ensure 'unique application pools' is set for sites

ACCESS CONTROL

1.6 Ensure 'application pool identity' is configured for anonymous user identity

ACCESS CONTROL

1.7 Ensure WebDav feature is disabled

SYSTEM AND INFORMATION INTEGRITY

2.1 Ensure 'global authorization rule' is set to restrict access

SYSTEM AND SERVICES ACQUISITION

2.2 Ensure access to sensitive site features is restricted to authenticated principals only

ACCESS CONTROL

2.3 Ensure 'forms authentication' require SSL - Applications

SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Ensure 'forms authentication' require SSL - Default

SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure 'cookie protection mode' is configured for forms authentication - Applications

SYSTEM AND SERVICES ACQUISITION

2.5 Ensure 'cookie protection mode' is configured for forms authentication - Default

SYSTEM AND SERVICES ACQUISITION

2.6 Ensure transport layer security for 'basic authentication' is configured

SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Ensure 'passwordFormat' is not set to clear - Applications

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure 'passwordFormat' is not set to clear - Default

IDENTIFICATION AND AUTHENTICATION

3.1 Ensure 'deployment method retail' is set

SYSTEM AND SERVICES ACQUISITION

3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Applications

SYSTEM AND SERVICES ACQUISITION

3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Default

SYSTEM AND SERVICES ACQUISITION

3.7 Ensure 'cookies' are set with HttpOnly attribute - Applications

SYSTEM AND SERVICES ACQUISITION

3.7 Ensure 'cookies' are set with HttpOnly attribute - Default

SYSTEM AND SERVICES ACQUISITION

3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Applications

SYSTEM AND COMMUNICATIONS PROTECTION

3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Default

SYSTEM AND COMMUNICATIONS PROTECTION

3.10 Ensure global .NET trust level is configured - Applications

ACCESS CONTROL

3.10 Ensure global .NET trust level is configured - Default

ACCESS CONTROL

4.5 Ensure Double-Encoded requests will be rejected - Applications

SYSTEM AND SERVICES ACQUISITION

4.5 Ensure Double-Encoded requests will be rejected - Default

SYSTEM AND SERVICES ACQUISITION

4.6 Ensure 'HTTP Trace Method' is disabled - Applications

SYSTEM AND SERVICES ACQUISITION

4.6 Ensure 'HTTP Trace Method' is disabled - Default

SYSTEM AND SERVICES ACQUISITION

4.7 Ensure Unlisted File Extensions are not allowed - Applications

SYSTEM AND SERVICES ACQUISITION

4.7 Ensure Unlisted File Extensions are not allowed - Default

SYSTEM AND SERVICES ACQUISITION

4.8 Ensure Handler is not granted Write and Script/Execute - Applications

SYSTEM AND SERVICES ACQUISITION

4.8 Ensure Handler is not granted Write and Script/Execute - Default

SYSTEM AND SERVICES ACQUISITION

4.9 Ensure 'notListedIsapisAllowed' is set to false

SYSTEM AND SERVICES ACQUISITION

4.10 Ensure 'notListedCgisAllowed' is set to false

SYSTEM AND SERVICES ACQUISITION

4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent Requests

SYSTEM AND COMMUNICATIONS PROTECTION

4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - maxConcurrentRequests

SYSTEM AND COMMUNICATIONS PROTECTION

5.1 Ensure Default IIS web log location is moved

AUDIT AND ACCOUNTABILITY

5.2 Ensure Advanced IIS logging is enabled

AUDIT AND ACCOUNTABILITY

5.3 Ensure 'ETW Logging' is enabled

AUDIT AND ACCOUNTABILITY

5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C

AUDIT AND ACCOUNTABILITY

5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C with ETW target

AUDIT AND ACCOUNTABILITY

6.1 Ensure FTP requests are encrypted - Control Channel Default

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure FTP requests are encrypted - Control Channel Sites

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure FTP requests are encrypted - Data Channel Default

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure FTP requests are encrypted - Data Channel Sites

SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Ensure FTP Logon attempt restrictions is enabled

CONFIGURATION MANAGEMENT

7.2 Ensure SSLv2 is Disabled

SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure SSLv3 is Disabled

SYSTEM AND COMMUNICATIONS PROTECTION

7.4 Ensure TLS 1.0 is Disabled

SYSTEM AND COMMUNICATIONS PROTECTION