DISA_IIS_10.0_Web_Server_v2r5.audit from DISA Microsoft IIS 10.0 Server v2r5 STIG

IIST-SV-000100 - The IIS 10.0 web server remote authors or content providers must only use secure encrypted logons and connections to upload web server content.

CAT|II

CCI|CCI-001453

Rule-ID|SV-218784r561041_rule

STIG-ID|IIST-SV-000100

STIG-Legacy|SV-109207

STIG-Legacy|V-100103

Vuln-ID|V-218784

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Date

CCI|CCI-000130

CCI|CCI-000131

CCI|CCI-000132

CCI|CCI-000133

CCI|CCI-001462

CCI|CCI-001464

Rule-ID|SV-218785r561041_rule

STIG-ID|IIST-SV-000102

STIG-Legacy|SV-109209

STIG-Legacy|V-100105

Vuln-ID|V-218785

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field IP

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Method

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Query

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Referer

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Status

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Time

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field User

IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Format W3C

IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.

CCI|CCI-000139

CCI|CCI-001851

Rule-ID|SV-218786r561041_rule

STIG-ID|IIST-SV-000103

STIG-Legacy|SV-109211

STIG-Legacy|V-100107

Vuln-ID|V-218786

IIST-SV-000109 - An IIS 10.0 web server behind a load balancer or proxy server must produce log records containing the source client IP and destination information.

Rule-ID|SV-218787r561041_rule

STIG-ID|IIST-SV-000109

STIG-Legacy|SV-109213

STIG-Legacy|V-100109

Vuln-ID|V-218787

IIST-SV-000110 - The IIS 10.0 web server must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 web server events - Connection

CCI|CCI-000134

Rule-ID|SV-218788r561041_rule

STIG-ID|IIST-SV-000110

STIG-Legacy|SV-109215

STIG-Legacy|V-100111

Vuln-ID|V-218788

IIST-SV-000110 - The IIS 10.0 web server must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 web server events - Warning

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom Authorization

CCI|CCI-001487

Rule-ID|SV-218789r561041_rule

STIG-ID|IIST-SV-000111

STIG-Legacy|SV-109217

STIG-Legacy|V-100113

Vuln-ID|V-218789

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Custom Content-Type

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - Referer

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - User Name

IIST-SV-000111 - The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event - UserAgent

IIST-SV-000115 - The log information from the IIS 10.0 web server must be protected from unauthorized modification or deletion.

CCI|CCI-000164

Rule-ID|SV-218790r561041_rule

STIG-ID|IIST-SV-000115

STIG-Legacy|SV-109219

STIG-Legacy|V-100115

Vuln-ID|V-218790

IIST-SV-000116 - The log data and records from the IIS 10.0 web server must be backed up onto a different system or media.

CCI|CCI-001348

Rule-ID|SV-218791r561041_rule

STIG-ID|IIST-SV-000116

STIG-Legacy|SV-109221

STIG-Legacy|V-100117

Vuln-ID|V-218791

IIST-SV-000117 - The IIS 10.0 web server must not perform user management for hosted applications.

CCI|CCI-000381

Rule-ID|SV-218792r561041_rule

STIG-ID|IIST-SV-000117

STIG-Legacy|SV-109223

STIG-Legacy|V-100119

Vuln-ID|V-218792

IIST-SV-000118 - The IIS 10.0 web server must only contain functions necessary for operation.

Rule-ID|SV-218793r561041_rule

STIG-ID|IIST-SV-000118

STIG-Legacy|SV-109225

STIG-Legacy|V-100121

Vuln-ID|V-218793

IIST-SV-000119 - The IIS 10.0 web server must not be both a website server and a proxy server.

Rule-ID|SV-218794r561041_rule

STIG-ID|IIST-SV-000119

STIG-Legacy|SV-109227

STIG-Legacy|V-100123

Vuln-ID|V-218794

IIST-SV-000120 - All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server.

CAT|I

Rule-ID|SV-218795r561041_rule

STIG-ID|IIST-SV-000120

STIG-Legacy|SV-109229

STIG-Legacy|V-100125

Vuln-ID|V-218795

IIST-SV-000123 - The IIS 10.0 web server must be reviewed on a regular basis to remove any Operating System features, utility programs, plug-ins, and modules not necessary for operation.

Rule-ID|SV-218797r561041_rule

STIG-ID|IIST-SV-000123

STIG-Legacy|SV-109233

STIG-Legacy|V-100129

Vuln-ID|V-218797

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - bat

Rule-ID|SV-218798r561041_rule

STIG-ID|IIST-SV-000124

STIG-Legacy|SV-109235

STIG-Legacy|V-100131

Vuln-ID|V-218798

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - com

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - csh

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - dll

IIST-SV-000124 - The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled - exe

IIST-SV-000125 - The IIS 10.0 web server must have Web Distributed Authoring and Versioning (WebDAV) disabled.

Rule-ID|SV-218799r561041_rule

STIG-ID|IIST-SV-000125

STIG-Legacy|SV-109237

STIG-Legacy|V-100133

Vuln-ID|V-218799

IIST-SV-000129 - The IIS 10.0 web server must perform RFC 5280-compliant certification path validation.

CCI|CCI-000185

Rule-ID|SV-218800r561041_rule

STIG-ID|IIST-SV-000129

STIG-Legacy|SV-109239

STIG-Legacy|V-100135

Vuln-ID|V-218800

IIST-SV-000130 - Java software installed on a production IIS 10.0 web server must be limited to .class files and the Java Virtual Machine.

CCI|CCI-001166

Rule-ID|SV-218801r561041_rule

STIG-ID|IIST-SV-000130

STIG-Legacy|SV-109241

STIG-Legacy|V-100137

Vuln-ID|V-218801

IIST-SV-000131 - IIS 10.0 Web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.

CCI|CCI-001082

Rule-ID|SV-218802r561041_rule

STIG-ID|IIST-SV-000131

STIG-Legacy|SV-109243

STIG-Legacy|V-100139

Vuln-ID|V-218802

IIST-SV-000132 - The IIS 10.0 web server must separate the hosted applications from hosted web server management functionality.

Rule-ID|SV-218803r561041_rule

STIG-ID|IIST-SV-000132

STIG-Legacy|SV-109245

STIG-Legacy|V-100141

Vuln-ID|V-218803

IIST-SV-000134 - The IIS 10.0 web server must use cookies to track session state.

CCI|CCI-001664

Rule-ID|SV-218804r561041_rule

STIG-ID|IIST-SV-000134

STIG-Legacy|SV-109247

STIG-Legacy|V-100143

Vuln-ID|V-218804

IIST-SV-000135 - The IIS 10.0 web server must accept only system-generated session identifiers - sessionState

Rule-ID|SV-218805r561041_rule

STIG-ID|IIST-SV-000135

STIG-Legacy|SV-109249

STIG-Legacy|V-100145

Vuln-ID|V-218805

IIST-SV-000135 - The IIS 10.0 web server must accept only system-generated session identifiers - timeout

IIST-SV-000136 - The IIS 10.0 web server must augment re-creation to a stable and known baseline.

CCI|CCI-001190

Rule-ID|SV-218806r561041_rule

STIG-ID|IIST-SV-000136

STIG-Legacy|SV-109251

STIG-Legacy|V-100147

Vuln-ID|V-218806

IIST-SV-000137 - The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key - Encryption Method

CCI|CCI-001199

Rule-ID|SV-218807r561041_rule

STIG-ID|IIST-SV-000137

STIG-Legacy|SV-109253

STIG-Legacy|V-100149

Vuln-ID|V-218807

IIST-SV-000137 - The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key - Validation Method

IIST-SV-000138 - Directory Browsing on the IIS 10.0 web server must be disabled.

CCI|CCI-001310

Rule-ID|SV-218808r561041_rule

STIG-ID|IIST-SV-000138

STIG-Legacy|SV-109255

STIG-Legacy|V-100151

Vuln-ID|V-218808

IIST-SV-000139 - The IIS 10.0 web server Indexing must only index web content.

CCI|CCI-001312

Rule-ID|SV-218809r561041_rule

STIG-ID|IIST-SV-000139

STIG-Legacy|SV-109257

STIG-Legacy|V-100153

Vuln-ID|V-218809

IIST-SV-000140 - Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 web server, patches, loaded modules, and directory paths.

Rule-ID|SV-218810r561041_rule

STIG-ID|IIST-SV-000140

STIG-Legacy|SV-109259

STIG-Legacy|V-100155

Vuln-ID|V-218810

IIST-SV-000141 - Remote access to the IIS 10.0 web server must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.

Detections

Analytics

Revision 1.1

Aug 11, 2022

Functional Update

Removed