| DISA_STIG_IIS_10.0_Web_Server_v2r10.audit from DISA Microsoft IIS 10.0 Server v2r10 STIG | DISA IIS 10.0 Server v2r10 | Windows | |
| DISA_STIG_IIS_10.0_Web_Server_v3r6.audit from DISA Microsoft IIS 10.0 Server v3r6 STIG | DISA IIS 10.0 Server v3r6 | Windows | |
| IIST-SI-000203 - A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections. | DISA IIS 10.0 Site v2r14 | Windows | ACCESS CONTROL |
| IIST-SI-000204 - A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required. | DISA IIS 10.0 Site v2r14 | Windows | ACCESS CONTROL |
| IIST-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled. | DISA IIS 10.0 Site v2r14 | Windows | AUDIT AND ACCOUNTABILITY |
| IIST-SI-000210 - The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | DISA IIS 10.0 Site v2r14 | Windows | AUDIT AND ACCOUNTABILITY |
| IIST-SI-000214 - The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. | DISA IIS 10.0 Site v2r14 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000215 - Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed. | DISA IIS 10.0 Site v2r14 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000216 - The IIS 10.0 website must have resource mappings set to disable the serving of certain file types. | DISA IIS 10.0 Site v2r14 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SI-000220 - A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity. | DISA IIS 10.0 Site v2r14 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000223 - The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced. | DISA IIS 10.0 Site v2r14 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000224 - The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files. | DISA IIS 10.0 Site v2r14 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000226 - The IIS 10.0 website must be configured to limit the size of web requests. | DISA IIS 10.0 Site v2r14 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000228 - Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website. | DISA IIS 10.0 Site v2r14 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000229 - Double encoded URL requests must be prohibited by any IIS 10.0 website. | DISA IIS 10.0 Site v2r14 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000230 - Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website. | DISA IIS 10.0 Site v2r14 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SI-000231 - Directory Browsing on the IIS 10.0 website must be disabled. | DISA IIS 10.0 Site v2r14 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IIST-SI-000234 - Debugging and trace information used to diagnose the IIS 10.0 website must be disabled. | DISA IIS 10.0 Site v2r14 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IIST-SI-000237 - The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications. | DISA IIS 10.0 Site v2r14 | Windows | ACCESS CONTROL |
| IIST-SI-000239 - The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines. | DISA IIS 10.0 Site v2r14 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events. | DISA IIS 10.0 Server v2r10 | Windows | AUDIT AND ACCOUNTABILITY |
| IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled. | DISA IIS 10.0 Server v3r6 | Windows | AUDIT AND ACCOUNTABILITY |
| IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled. | DISA IIS 10.0 Server v2r10 | Windows | AUDIT AND ACCOUNTABILITY |
| IIST-SV-000117 - The IIS 10.0 web server must not perform user management for hosted applications. | DISA IIS 10.0 Server v3r6 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000117 - The IIS 10.0 web server must not perform user management for hosted applications. | DISA IIS 10.0 Server v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000118 - The IIS 10.0 web server must only contain functions necessary for operation. | DISA IIS 10.0 Server v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000118 - The IIS 10.0 web server must only contain functions necessary for operation. | DISA IIS 10.0 Server v3r6 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000125 - The IIS 10.0 web server must have Web Distributed Authoring and Versioning (WebDAV) disabled. | DISA IIS 10.0 Server v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000125 - The IIS 10.0 web server must have Web Distributed Authoring and Versioning (WebDAV) disabled. | DISA IIS 10.0 Server v3r6 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000129 - The IIS 10.0 web server must perform RFC 5280-compliant certification path validation. | DISA IIS 10.0 Server v2r10 | Windows | IDENTIFICATION AND AUTHENTICATION |
| IIST-SV-000134 - The IIS 10.0 web server must use cookies to track session state. | DISA IIS 10.0 Server v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000134 - The IIS 10.0 web server must use cookies to track session state. | DISA IIS 10.0 Server v3r6 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000135 - The IIS 10.0 web server must accept only system-generated session identifiers. | DISA IIS 10.0 Server v3r6 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000135 - The IIS 10.0 web server must accept only system-generated session identifiers. | DISA IIS 10.0 Server v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000137 - The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key. | DISA IIS 10.0 Server v3r6 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000137 - The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key. | DISA IIS 10.0 Server v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000138 - Directory Browsing on the IIS 10.0 web server must be disabled. | DISA IIS 10.0 Server v2r10 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IIST-SV-000138 - Directory Browsing on the IIS 10.0 web server must be disabled. | DISA IIS 10.0 Server v3r6 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IIST-SV-000142 - The IIS 10.0 web server must restrict inbound connections from non-secure zones. | DISA IIS 10.0 Server v3r6 | Windows | ACCESS CONTROL |
| IIST-SV-000142 - The IIS 10.0 web server must restrict inbound connections from non-secure zones. | DISA IIS 10.0 Server v2r10 | Windows | ACCESS CONTROL |
| IIST-SV-000143 - The IIS 10.0 web server must provide the capability to immediately disconnect or disable remote access to the hosted applications. | DISA IIS 10.0 Server v2r10 | Windows | ACCESS CONTROL |
| IIST-SV-000143 - The IIS 10.0 web server must provide the capability to immediately disconnect or disable remote access to the hosted applications. | DISA IIS 10.0 Server v3r6 | Windows | ACCESS CONTROL |
| IIST-SV-000152 - IIS 10.0 web server session IDs must be sent to the client using TLS. | DISA IIS 10.0 Server v3r6 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000152 - IIS 10.0 web server session IDs must be sent to the client using TLS. | DISA IIS 10.0 Server v2r10 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000158 - Unspecified file extensions on a production IIS 10.0 web server must be removed. | DISA IIS 10.0 Server v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000158 - Unspecified file extensions on a production IIS 10.0 web server must be removed. | DISA IIS 10.0 Server v3r6 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000159 - The IIS 10.0 web server must have a global authorization rule configured to restrict access. | DISA IIS 10.0 Server v3r6 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000159 - The IIS 10.0 web server must have a global authorization rule configured to restrict access. | DISA IIS 10.0 Server v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000200 - The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests. | DISA IIS 10.0 Server v2r10 | Windows | ACCESS CONTROL |
| IIST-SV-000200 - The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests. | DISA IIS 10.0 Server v3r6 | Windows | ACCESS CONTROL |
