IIST-SV-000142 - The IIS 10.0 web server must restrict inbound connections from non-secure zones.


Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions.

A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as non-secure zones. Non-secure zones are defined as any IP, subnet, or region defined as a threat to the organization. The non-secure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from non-secure zones through internal web server access lists, the web server can stop or slow denial of service (DoS) attacks on the web server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Under 'Management', double-click 'Management Service'.

Stop the Web Management Service under the 'Actions' pane.

Configure only known, secure IP ranges as 'Allow'.

Select 'Apply' in 'Actions' pane.

Restart the Web Management Service under the 'Actions' pane.

See Also


Item Details


References: 800-53|AC-17(1), CAT|II, CCI|CCI-002314, Rule-ID|SV-218812r561041_rule, STIG-ID|IIST-SV-000142, STIG-Legacy|SV-109263, STIG-Legacy|V-100159, Vuln-ID|V-218812

Plugin: Windows

Control ID: edbef602006ec2f663ef290d390d1aca97ce79a904cd21389ada0d9cb7cb9ae0