| 1.2 Ensure 'host headers' are on all sites | CIS IIS 8.0 v1.5.1 Level 1 | Windows | CONFIGURATION MANAGEMENT |
| 1.2 Ensure 'host headers' are on all sites | CIS IIS 7 L1 v1.8.0 | Windows | CONFIGURATION MANAGEMENT |
| 2.1 Ensure 'global authorization rule' is set to restrict access | CIS IIS 10 v1.2.1 Level 1 | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.30 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only) - IIS_IUSRS | CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.2.36 Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows 8.1 v2.4.1 L1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 4.2 Ensure 'maxURL request filter' is configured - Applications | CIS IIS 10 v1.2.1 Level 2 | Windows | SYSTEM AND SERVICES ACQUISITION |
| 4.2 Ensure 'maxURL request filter' is configured - Default | CIS IIS 10 v1.2.1 Level 2 | Windows | SYSTEM AND SERVICES ACQUISITION |
| 4.4 Ensure http server is not running | CIS Apple OSX 10.11 El Capitan L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Ensure http server is not running | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Ensure http server is not running | CIS Apple OSX 10.9 L1 v1.3.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Ensure http server is not running | CIS Apple macOS 10.12 L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.8 Ensure Handler is not granted Write and Script/Execute - Applications | CIS IIS 7 L1 v1.8.0 | Windows | ACCESS CONTROL |
| 4.8 Ensure Handler is not granted Write and Script/Execute - Default | CIS IIS 7 L1 v1.8.0 | Windows | ACCESS CONTROL |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Conccurent Requests | CIS IIS 7 L1 v1.8.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Request Rate | CIS IIS 7 L1 v1.8.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Not Logging Only Mode | CIS IIS 7 L1 v1.8.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3 Ensure 'ETW Logging' is enabled | CIS IIS 10 v1.2.1 Level 1 | Windows | AUDIT AND ACCOUNTABILITY |
| 5.3 Ensure 'ETW Logging' is enabled - Sites logFormat W3C with ETW target | CIS IIS 10 v1.2.1 Level 1 | Windows | AUDIT AND ACCOUNTABILITY |
| 89.18 (L1) Ensure 'Impersonate Client' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | CIS Microsoft Intune for Windows 10 v4.0.0 L1 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| AS24-U2-000240 - The Apache web server must not perform user management for hosted applications. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-W1-000240 - The Apache web server must not perform user management for hosted applications. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | CONFIGURATION MANAGEMENT |
| CIS_VMware_ESXi_7.0_v1.5.0_L2.audit from CIS VMware ESXi 7.0 Benchmark v1.5.0 | CIS VMware ESXi 7.0 v1.5.0 L2 Bare Metal | Unix | |
| DISA_STIG_MSSQL_2012_Instance-OS_v1r20.audit from DISA Microsoft SQL Server Instance 2012 v1r20 STIG | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | |
| EX16-ED-000570 - Exchange must render hyperlinks from email sources from non-.mil domains as unclickable. | DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r5 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| GEN000100 - The operating system must be a supported release. | DISA STIG Solaris 10 X86 v2r4 | Unix | CONFIGURATION MANAGEMENT |
| GEN002860 - Audit logs must be rotated daily. | DISA STIG for Oracle Linux 5 v2r1 | Unix | CONFIGURATION MANAGEMENT |
| GEN002860 - Audit logs must be rotated daily. | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | CONFIGURATION MANAGEMENT |
| IIST-SI-000215 - Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed. | DISA IIS 10.0 Site v2r11 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled. | DISA IIS 10.0 Server v2r10 | Windows | AUDIT AND ACCOUNTABILITY |
| IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled. | DISA IIS 10.0 Server v3r3 | Windows | AUDIT AND ACCOUNTABILITY |
| IIST-SV-000148 - The IIS 10.0 web server must not be running on a system providing any other role. | DISA IIS 10.0 Server v2r10 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000148 - The IIS 10.0 web server must not be running on a system providing any other role. | DISA IIS 10.0 Server v3r3 | Windows | CONFIGURATION MANAGEMENT |
| IIST-SV-000200 - The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests. | DISA IIS 10.0 Server v3r3 | Windows | ACCESS CONTROL |
| IIST-SV-000200 - The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests. | DISA IIS 10.0 Server v2r10 | Windows | ACCESS CONTROL |
| IISW-SI-000215 - Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed. | DISA IIS 8.5 Site v2r9 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 8.5 web server must be enabled. | DISA IIS 8.5 Server v2r7 | Windows | AUDIT AND ACCOUNTABILITY |
| IISW-SV-000148 - The IIS 8.5 web server must not be running on a system providing any other role. | DISA IIS 8.5 Server v2r7 | Windows | CONFIGURATION MANAGEMENT |
| IISW-SV-000200 - The IIS 8.5 MaxConnections setting must be configured to limit the number of allowed simultaneous session requests. | DISA IIS 8.5 Server v2r7 | Windows | ACCESS CONTROL |
| SP13-00-000125 - SharePoint must implement an information system isolation boundary that minimizes the number of nonsecurity functions included within the boundary containing security functions. | DISA STIG SharePoint 2013 v2r4 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| SP13-00-000135 - SharePoint must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures. | DISA STIG SharePoint 2013 v2r4 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-70-000089 - The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity. | DISA STIG VMware vSphere 7.0 vCenter v1r3 | VMware | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - 'Index Server Web Interface Disallowed' | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | CONFIGURATION MANAGEMENT |
| WA000-WI6010 IIS6 - The web site must have a unique application pool. | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG130 IIS6 - Programs and features not necessary for operations must be removed. | DISA STIG IIS 6.0 Server v6r16 | Windows | CONFIGURATION MANAGEMENT |
| WG130 W22 - All utility programs, not necessary for operations, must be removed or disabled. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | |
| WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server. | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | |
| WG260 W22 - Only web sites that have been fully reviewed and tested must exist on a production web server. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | |
| WG520 W22 - Web server and/or operating system information must be protected. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
