IIST-SV-000141 - Remote access to the IIS 10.0 web server must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.
Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Ensure the web server administration is only performed over a secure path.