CIS IIS 8.0 v1.5.0 Level 1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS IIS 8.0 v1.5.0 Level 1

Updated: 10/17/2023

Authority: CIS

Plugin: Windows

Revision: 1.16

Estimated Item Count: 78

File Details

Filename: CIS_v1.5.0_MS_IIS_8_Level_1.audit

Size: 163 kB

MD5: eab9762cca4a32c45900b7b198e6bdc8
SHA256: 5c108a65d8c708088946d034cf3054c42bff98466d4dd31321608b934cb16932

Audit Items

DescriptionCategories
1.1 Ensure Web Content Is on Non-System Partition
1.2 Ensure 'host headers' are on all sites
1.3 Ensure 'directory browsing' is set to disabled
1.4 Ensure 'application pool identity' is configured for all application pools
1.5 Ensure 'unique application pools' is set for sites
1.6 Ensure 'application pool identity' is configured for anonymous user identity
2.1 Ensure 'global authorization rule' is set to restrict access
2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - Applications
2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - Default
2.3 Ensure 'forms authentication' require SSL - Applications
2.3 Ensure 'forms authentication' require SSL - Default
2.3 Ensure 'forms authentication' require SSL - Not Enabled
2.5 Ensure 'cookie protection mode' is configured for forms authentication - Applications
2.5 Ensure 'cookie protection mode' is configured for forms authentication - Default
2.5 Ensure 'cookie protection mode' is configured for forms authentication - Not Enabled
2.6 Ensure transport layer security for 'basic authentication' is configured
2.7 Ensure 'passwordFormat' is not set to clear
2.7 Ensure 'passwordFormat' is not set to clear - Applications
2.7 Ensure 'passwordFormat' is not set to clear - Default
3.1 Ensure 'deployment method retail' is set
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Applications
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Default
3.8 Configure MachineKey Validation Method - .Net 3.5 - Applications
3.8 Configure MachineKey Validation Method - .Net 3.5 - Default
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Applications
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured - Default
3.10 Ensure global .NET trust level is configured
3.10 Ensure global .NET trust level is configured - Applications
3.10 Ensure global .NET trust level is configured - Default
4.5 Ensure Double-Encoded Requests will be Rejected - Applications
4.5 Ensure Double-Encoded Requests will be Rejected - Default
4.6 Ensure 'HTTP Trace Method' is disabled - Applications
4.6 Ensure 'HTTP Trace Method' is disabled - Default
4.7 Ensure Unlisted File Extensions are not allowed - Applications
4.7 Ensure Unlisted File Extensions are not allowed - Default
4.8 Ensure Handler is not granted Write and Script/Execute - Applications
4.8 Ensure Handler is not granted Write and Script/Execute - Default
4.9 Ensure 'notListedIsapisAllowed' is set to false
4.10 Ensure 'notListedCgisAllowed' is set to false
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Conccurent Requests
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Request Rate
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Not Logging Only Mode
5.1 Ensure Default IIS web log location is moved
5.2 Ensure Advanced IIS logging is enabled
5.3 Ensure 'ETW Logging' is enabled
5.3 Ensure 'ETW Logging' is enabled - Default ETW
5.3 Ensure 'ETW Logging' is enabled - Default W3C
5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C