DISA STIG IIS 6.0 Site Checklist v6r16

Audit Details

Name: DISA STIG IIS 6.0 Site Checklist v6r16

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.9

Estimated Item Count: 89

File Details

Filename: DISA_IIS_6.0_Web_Site_V6R16.audit

Size: 193 kB

MD5: 05f84e96baabd6c1afa5841032daa8e3
SHA256: 836eda369987d62784a0e346140674d9f0433a1bf05fa81ee4decd0e6b4c1f30

Audit Items

DescriptionCategories
WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.asa'

ACCESS CONTROL

WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.asax'

ACCESS CONTROL

WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.inc file permissions'

ACCESS CONTROL

WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.inc'

ACCESS CONTROL

WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - 'global.asa'

ACCESS CONTROL

WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - 'global.asax'

ACCESS CONTROL

WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - '.bat mappings'

CONFIGURATION MANAGEMENT

WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - '.cmd mappings'

CONFIGURATION MANAGEMENT

WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - '.HTR scripting Disallowed'

CONFIGURATION MANAGEMENT

WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - 'Allowed Web Service Extensions'

CONFIGURATION MANAGEMENT

WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - 'Index Server Web Interface Disallowed'

CONFIGURATION MANAGEMENT

WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - 'Internet Data Connector Disallowed'

CONFIGURATION MANAGEMENT

WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - 'Server Side Includes Disallowed'

CONFIGURATION MANAGEMENT

WA000-WI070 IIS6 - Indexing Services must only index web content.

CONFIGURATION MANAGEMENT

WA000-WI090 IIS6 - Directory browsing must be disabled.

CONFIGURATION MANAGEMENT

WA000-WI092 IIS6 - The IIS web site permissions 'Write' or 'Script Source' must not be selected. - 'Script Source permission check'

ACCESS CONTROL

WA000-WI092 IIS6 - The IIS web site permissions 'Write' or 'Script Source' must not be selected. - 'Write permission check'

ACCESS CONTROL

WA000-WI120 IIS6 - The Content Location header must not contain proprietary IP addresses.

CONFIGURATION MANAGEMENT

WA000-WI6010 IIS6 - The web site must have a unique application pool.

SYSTEM AND COMMUNICATIONS PROTECTION

WA000-WI6020 IIS6 - The Recycle Worker processes in minutes monitor must be set properly.

CONFIGURATION MANAGEMENT

WA000-WI6022 IIS6 - The maximum number of requests an application pool can process must be set.

CONFIGURATION MANAGEMENT

WA000-WI6024 IIS6 - The maximum virtual memory monitor must be enabled.

CONFIGURATION MANAGEMENT

WA000-WI6026 IIS6 - The maximum used memory monitor must be enabled.

CONFIGURATION MANAGEMENT

WA000-WI6028 IIS6 - The Shutdown worker processes Idle Timeout monitor must be enabled.

CONFIGURATION MANAGEMENT

WA000-WI6030 IIS6 - The Limit the kernel request queue monitor must be enabled

CONFIGURATION MANAGEMENT

WA000-WI6032 IIS6 - The Enable pinging monitor must be enabled. - 'PingingEnabled set to True'

CONFIGURATION MANAGEMENT

WA000-WI6032 IIS6 - The Enable pinging monitor must be enabled. - 'PingInterval set to 30 or more'

CONFIGURATION MANAGEMENT

WA000-WI6034 IIS6 - The Enable rapid-fail protection monitor must be enabled.

CONFIGURATION MANAGEMENT

WA000-WI6036 IIS6 - The Enable rapid-fail time period monitor must be enabled.

CONFIGURATION MANAGEMENT

WA000-WI6040 IIS6 - A unique non-privileged account must be used to run Worker Process Identities. - 'AppPoolIdentityType = 3 - WAMUserName'

ACCESS CONTROL

WA000-WI6040 IIS6 - A unique non-privileged account must be used to run Worker Process Identities. - 'AppPoolIdentityType Check'

ACCESS CONTROL

WA000-WI6098 IIS6 - The MaxRequestEntityAllowed metabase value must be defined. - 'IisWebDirectorySetting'

SYSTEM AND COMMUNICATIONS PROTECTION

WA000-WI6098 IIS6 - The MaxRequestEntityAllowed metabase value must be defined. - 'IisWebFileSetting'

SYSTEM AND COMMUNICATIONS PROTECTION

WA000-WI6098 IIS6 - The MaxRequestEntityAllowed metabase value must be defined. - 'IisWebServerSetting'

SYSTEM AND COMMUNICATIONS PROTECTION

WA000-WI6098 IIS6 - The MaxRequestEntityAllowed metabase value must be defined. - 'IisWebServiceSetting'

SYSTEM AND COMMUNICATIONS PROTECTION

WA000-WI6098 IIS6 - The MaxRequestEntityAllowed metabase value must be defined. - 'IisWebVirtualDirSetting'

SYSTEM AND COMMUNICATIONS PROTECTION

WG110 IIS6 - Web sites must limit the number of simultaneous requests.

ACCESS CONTROL

WG140 IIS6 - A private web sites authentication mechanism must use client certificates. - 'AccessSSL Enabled'

SYSTEM AND COMMUNICATIONS PROTECTION

WG140 IIS6 - A private web sites authentication mechanism must use client certificates. - 'AccessSSLRequireCert Enabled'

SYSTEM AND COMMUNICATIONS PROTECTION

WG145 IIS6 - The private web server must use an approved DoD certificate validation process. - 'Check W3SVC CertCheckMode'

IDENTIFICATION AND AUTHENTICATION

WG145 IIS6 - The private web server must use an approved DoD certificate validation process. - 'Check W3SVC/WEBSITES CertCheckMode'
WG170 IIS6 - Each readable web document directory must contain a default, home, index or equivalent file. - 'DefaultDoc'

CONFIGURATION MANAGEMENT

WG170 IIS6 - Each readable web document directory must contain a default, home, index or equivalent file. - 'EnableDefaultDoc set to True'

CONFIGURATION MANAGEMENT

WG205 IIS6 - The web document (home) directory must be on a separate partition from the web servers system files.

CONFIGURATION MANAGEMENT

WG210 IIS6 - Web content directories must not be anonymously shared.

CONFIGURATION MANAGEMENT

WG235 IIS6 - Web Administrators must secure encrypted connections for Document Root directory uploads.
WG240 IIS6 - Logs of web server access and errors must be established and maintained.
WG242 IIS6 - Log file data must contain required data elements. - 'Logging Enabled'

AUDIT AND ACCOUNTABILITY

WG242 IIS6 - Log file data must contain required data elements. - 'Logging Properties Set Correctly'

AUDIT AND ACCOUNTABILITY

WG250 IIS6 - Users other than Auditors group must not have greater than read access to log files.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT