Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

IIS 7.0 Site STIG

  • Version/Release: V1R19
  • Published: 2019-12-12
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Web content directories must not be anonymously shared.
Medium - V-2226 - SV-32529r2_rule
RMF Control
Severity
Medium
CCI
Version
WG210 IIS7
Vuln IDs
  • V-2226
Rule IDs
  • SV-32529r2_rule
Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit this access and compromise the web content or cause web server performance problems.System AdministratorWeb Administrator
Checks: C-32831r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Edit Permissions on the Actions Pane. 4. Click the Sharing tab. 5. If there are any anonymous shares under Network File and Folder sharing, this is a finding.

Fix: F-29056r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Edit Permissions on the Actions Pane. 4. Select the Sharing button. 5. Click Share and then click stop sharing.

b
All interactive programs must be placed in unique designated folders.
Medium - V-2228 - SV-32327r2_rule
RMF Control
Severity
Medium
CCI
Version
WG400 IIS7
Vuln IDs
  • V-2228
Rule IDs
  • SV-32327r2_rule
CGI & ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI & ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the SA control over what goes into those folders and to facilitate access control at the folder level.System AdministratorWeb Administrator
Checks: C-32733r1_chk

Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the web site does not utilize CGI or ASP, this finding is N/A. All interactive programs must be placed in unique designated folders based on CGI or ASP script type. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Each script type must be in its unique designated folder. If scripts are not segregated from web content and in their own unique folders, then this is a finding.

Fix: F-29057r1_fix

All interactive programs must be placed in unique designated folders based on CGI or ASP script type. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Move each script type to its unique designated folder. 5. Set the permissions to the scripts folders as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ

b
All interactive programs must have restrictive access controls.
Medium - V-2229 - SV-32326r2_rule
RMF Control
Severity
Medium
CCI
Version
WG410 IIS7
Vuln IDs
  • V-2229
Rule IDs
  • SV-32326r2_rule
CGI is a programming standard for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and JavaScript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.Web Administrator
Checks: C-32732r1_chk

Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the web site does not utilize CGI, this finding is N/A. All interactive programs must have restrictive permissions. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Set the permissions to the CGI scripts as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ If the permissions listed above are less restrictive, this is a finding.

Fix: F-29058r1_fix

All interactive programs must have restrictive permissions. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 4. Search for the listed script extensions. 5. Set the permissions to the CGI scripts as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ

a
Backup interactive scripts must be removed from the web site.
Low - V-2230 - SV-32630r3_rule
RMF Control
Severity
Low
CCI
Version
WG420 IIS7
Vuln IDs
  • V-2230
Rule IDs
  • SV-32630r3_rule
Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today to search web servers for such files and are able to exploit the information contained in them.System AdministratorWeb Administrator
Checks: C-30361r2_chk

This check is limited to CGI/interactive content and not static HTML. Search the IIS Root and Site Directories for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or ‘copy of...’. If files with these extensions are found, this is a finding.

Fix: F-29059r1_fix

Remove the backup files from the production web site.

b
Web sites must limit the number of simultaneous requests.
Medium - V-2240 - SV-32323r6_rule
RMF Control
Severity
Medium
CCI
Version
WG110 IIS7
Vuln IDs
  • V-2240
Rule IDs
  • SV-32323r6_rule
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web-site, facilitating a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive). Web Administrator
Checks: C-32730r4_chk

1. Open an administrator command prompt. 2. CD \Windows\system32\inetsrv 3. Enter the command: appcmd list config /section:system.applicationHost/sites > out.txt (opens output in Notepad). 4. Review the results and verify each website has a value greater than zero listed for maxconnections parameter. If not, this is a finding. If nothing is listed, this is also a finding.

Fix: F-29195r6_fix

For the site under review, determine the maximum number of connections needed. 1. Open an administrator command prompt. 2. CD \Windows\system32\inetserv 3. Enter the command: appcmd set config -section:system.applicationHost/sites "/[name='Default Web Site'].limits.maxConnections:X" /commit:apphost Note: Replace SITENAME with the site under review and X with the maximum number of connections allowable. 4. Enter the command to verify changes: appcmd list config –section:system.applicationHost/sites>out.txt (opens output in Notepad).

a
Each readable web document directory must contain a default, home, index, or equivalent document.
Low - V-2245 - SV-32324r2_rule
RMF Control
Severity
Low
CCI
Version
WG170 IIS7
Vuln IDs
  • V-2245
Rule IDs
  • SV-32324r2_rule
The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.Web Administrator
Checks: C-32731r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Default Document. 4. In the Actions Pane, verify the Default Document feature is enabled. If not, this is a finding. 5. Review the document types. 6. Click the Content View tab and ensure there is a document of that type in the directory. If not, this is a finding.

Fix: F-29061r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Default Document. 4. In the Action pane select Enable. 5. Click the Content View tab and ensure there is a document of that type in the directory.

c
Web server/site administration must be performed over a secure path.
High - V-2249 - SV-32329r3_rule
RMF Control
Severity
High
CCI
Version
WG230 IIS7
Vuln IDs
  • V-2249
Rule IDs
  • SV-32329r3_rule
Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used. An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.System Administrator
Checks: C-32735r2_chk

If web administration is performed at the console, this check is NA. If web administration is performed remotely the following checks will apply: If administration of the server is performed remotely, it will only be performed securely by system administrators. If web site administration or web application administration has been delegated, those users will be documented and approved by the ISSO. Remote administration must be in compliance with any requirements contained within the Windows Server STIGs, and any applicable network STIGs. Remote administration of any kind will be restricted to documented and authorized personnel. All users performing remote administration must be authenticated. All remote sessions will be encrypted and they will utilize FIPS 140-2 approved protocols. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. Review with site management how remote administration, if applicable, is configured on the web site. If remote management meets the criteria listed above, this is not a finding. If remote management is utilized and does not meet the criteria listed above, this is a finding.

Fix: F-29062r2_fix

Ensure the web server administration is only performed over a secure path.

b
Web-site logging must be enabled.
Medium - V-2250 - SV-32636r2_rule
RMF Control
Severity
Medium
CCI
Version
WG240 IIS7
Vuln IDs
  • V-2250
Rule IDs
  • SV-32636r2_rule
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. System AdministratorWeb Administrator
Checks: C-33496r1_chk

1. Open the IIS Manager. 2. Click the site name. 3. Double-click Logging 4. Ensure logging is enabled. If logging is not enabled, this is a finding.

Fix: F-29196r1_fix

1. Open the IIS Manager. 2. Click the site name. 3. Double-click Logging. 4. Click the Enable option from the Action Pane, click apply.

b
Only web sites that have been fully reviewed and tested will exist on a production web server.
Medium - V-2254 - SV-2254r3_rule
RMF Control
Severity
Medium
CCI
Version
WG260
Vuln IDs
  • V-2254
Rule IDs
  • SV-2254r3_rule
In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable.Web Administrator
Checks: C-29942r4_chk

Query the ISSO, the SA, and the web administrator to find out if development web sites are being housed on production web servers. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? The reviewer can also do a manual check or perform a navigation of the web site via a browser could be used to confirm the information provided from interviewing the web staff. Graphics or texts which proclaim Under Construction or Under Development are frequently used to mark folders or directories in that status. If Under Construction or Under Development web content is discovered on the production web server, this is a finding.

Fix: F-26813r1_fix

The presences of portions of the web site that proclaim Under Construction or Under Development are clear indications that a production web server is being used for development. The web administrator will ensure that all pages that are in development are not installed on a production web server.

c
Access to the web content and script directories must be restricted.
High - V-2258 - SV-32331r2_rule
RMF Control
Severity
High
CCI
Version
WG290 IIS7
Vuln IDs
  • V-2258
Rule IDs
  • SV-32331r2_rule
Excessive permission for the anonymous web user account is a common fault contributing to the compromise of a web server. If this account is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.System AdministratorWeb Administrator
Checks: C-32737r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane select Edit Permissions. 4. Select the Security tab. 5. Review the permissions for the accounts. If the IUSR or Everyone Account permission is greater than read, this is a finding.

Fix: F-29064r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane select Edit Permissions. 4. Select the Security tab. 5. Set the permissions for the accounts IUSR and Everyone to read.

b
A web site must not contain a robots.txt file.
Medium - V-2260 - SV-32333r4_rule
RMF Control
Severity
Medium
CCI
Version
WG310 IIS7
Vuln IDs
  • V-2260
Rule IDs
  • SV-32333r4_rule
Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used.Web Administrator
Checks: C-32739r4_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Content View tab. 4. If the robots.txt file does exist, this is a finding.

Fix: F-29066r5_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Under the Actions pane, click Explore. 4. Delete the robots.txt file. NOTE: If there is information on the web site that needs protection from search engines and public view, then other methods must be used to safeguard the data.

b
A private web server must utilize an approved TLS version.
Medium - V-2262 - SV-32334r5_rule
RMF Control
Severity
Medium
CCI
Version
WG340 IIS7
Vuln IDs
  • V-2262
Rule IDs
  • SV-32334r5_rule
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.Web Administrator
Checks: C-32740r8_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings Icon. 4. Ensure Require SSL and Require SSL 128-Bit are checked. Note: If the Required SSL 128-Bit setting is not visible, the setting can be viewed by clicking the site under review and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. The value for sslFlags should be ssl128. If not, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL\TLS also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value "Enabled", this would also be a finding. The keys for TLS 1.0 do not require the "Enabled" value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS. If the "Enabled" value is present and set to 0, this is a finding. TLS 1.1 and 1.2 are not supported in versions prior to IIS 7.5. If the version of IIS is prior to 7.5, the check for TLS 1.1 and 1.2 is NA. TLS 1.1 and 1.2 are not enabled by default, therefore the following registry keys must exist and contain the the following values to enable TLS 1.1 and 1.2. DisabledByDefault REG_DWORD 0 Enabled REG_DWORD 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server If any of the registry keys for TLS 1.1 or TLS 1.2 are not present or are not set correctly, this is a finding. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificate for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.

Fix: F-29067r5_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings Icon. 4. Click the Require SSL and Require SSL 128-Bit check boxes. Note: If the Required SSL 128-Bit setting is not visible, the setting can be set by clicking the site node and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. Click the value beside the sslFlags and select ssl128 in the dropdown list. 5. Set the version of SSL/TLS by creating and setting the following registry to not allow anything lower than TLS. Ensure the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS.

b
A private web server must have a valid server certificate.
Medium - V-2263 - SV-32531r2_rule
RMF Control
Severity
Medium
CCI
Version
WG350 IIS7
Vuln IDs
  • V-2263
Rule IDs
  • SV-32531r2_rule
This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.Web Administrator
Checks: C-33498r1_chk

1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Double-Click each certificate and verify the certificate path is to a DoD root CA. If not, this is a finding.

Fix: F-29200r1_fix

1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Import a valid DoD certificate and remove any non-DoD certificates.

c
Unapproved script mappings in IIS 7 must be removed.
High - V-2267 - SV-32335r4_rule
RMF Control
Severity
High
CCI
Version
WA000-WI050 IIS7
Vuln IDs
  • V-2267
Rule IDs
  • SV-32335r4_rule
IIS 7 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 7, Request Filtering and Handler Mappings. For Handler Mappings, the ISSO must document and approve all allowable file extensions the web site allows (white list) and denies (black list) by the web-site. The white list and black list will be compared to the Handler Mappings in IIS 7. Handler Mappings at the site level take precedence over Handler Mappings at the server level. Web Administrator
Checks: C-32741r2_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click on Handler Mappings. If any file extensions on the black list are configured with a Handler Mapping, this is a finding.

Fix: F-28820r2_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click on Handler Mappings. 4. Remove any file extensions which are listed on the black list and for which a Handler Mapping has been configured.

b
The web document (home) directory must be in a separate partition from the web server’s system files.
Medium - V-3333 - SV-32378r3_rule
RMF Control
Severity
Medium
CCI
Version
WG205 IIS7
Vuln IDs
  • V-3333
Rule IDs
  • SV-32378r3_rule
The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file the risk for unauthorized access to these protected files is increased. Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.System AdministratorWeb Administrator
Checks: C-32768r2_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings from the "Actions" Pane. 4. Review the Physical Path. If the Path is on the same partition as the OS, this is a finding. Note: If the ISSO has accepted the risk of not configuring this setting due to hosted application operability issues or failures, this is not a finding.

Fix: F-29069r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings from the Actions Pane. 4. Change the Physical Path to the new partition and directory location.

a
Indexing Services must only index web content.
Low - V-3963 - SV-32379r2_rule
RMF Control
Severity
Low
CCI
Version
WA000-WI070 IIS7
Vuln IDs
  • V-3963
Rule IDs
  • SV-32379r2_rule
The indexing service can be used to facilitate a search function for web-sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.System AdministratorWeb Administrator
Checks: C-32769r1_chk

1. Start regedit. 2. Navigate to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\. 3. If this key exists then indexing is enabled; if the key does not exist then this check is N/A. 4. Review the Catalogs keys to determine if directories other than web document directories are being indexed. If so, this is a finding.

Fix: F-29020r1_fix

1. Run MMC. 2. Add the Indexing Service snap-in. 3. Edit the indexed directories to only include web document directories.

a
The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
Low - V-6373 - SV-32642r3_rule
RMF Control
Severity
Low
CCI
Version
WG265 IIS7
Vuln IDs
  • V-6373
Rule IDs
  • SV-32642r3_rule
A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.Web Administrator
Checks: C-33497r3_chk

The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. If a banner is required, the following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” OR If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: "I've read & consent to terms in IS user agreem't." NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. If the access-controlled website does not display this banner page before entry, this is a finding.

Fix: F-29197r2_fix

Configure a DoD private website to display the required DoD banner page when authentication is required for user access.

b
A private web-sites authentication mechanism must use client certificates.
Medium - V-6531 - SV-32380r4_rule
RMF Control
Severity
Medium
CCI
Version
WG140 IIS7
Vuln IDs
  • V-6531
Rule IDs
  • SV-32380r4_rule
A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web-sites.Web Administrator
Checks: C-32933r3_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings icon. 4. Ensure Clients Certificate Required is checked. If not, this is a finding. NOTE: If the site has operational reasons to set Clients Certificate Required to unchecked, this vulnerability can be documented locally by the ISSM/ISSO.

Fix: F-28970r2_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings icon. 4. Click Clients Certificate Required button.

a
All web-sites must be assigned a default Host header.
Low - V-6724 - SV-32644r4_rule
RMF Control
Severity
Low
CCI
Version
WG520 IIS7
Vuln IDs
  • V-6724
Rule IDs
  • SV-32644r4_rule
In order to reduce the possibility of DNS rebinding attacks and IP-based scans, all web-sites allowing HTTP/HTTPS over ports 80/443 will be assigned default Host headers.System AdministratorWeb Administrator
Checks: C-32868r3_chk

1. Open the IIS Manager. 2. In the “Connections” pane, expand the “Sites” node in the tree. Select the site name under review. 3. In the “Actions” pane, select “Bindings”. 4. Each site should have a hostname entry (at a minimum) and specific IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. If not, this is a finding.

Fix: F-29019r2_fix

1. Open the IIS Manager. 2. In the “Connections” pane, expand the “Sites” node in the tree. Select the site name under review. 3. In the “Actions” pane, select “Bindings”. 4. In the “Site Bindings” dialog box, select the binding to add a host header and then click “Edit” or “Add”. 5. In the “Host” name box, type a host header for the site for both port 80 for HTTP and port 443 for HTTPS. 6. Click “OK”.

b
Directory Browsing must be disabled.
Medium - V-6755 - SV-32466r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI090 IIS7
Vuln IDs
  • V-6755
Rule IDs
  • SV-32466r3_rule
The Directory Browsing feature can be used to facilitate a directory traversal exploit. Directory browsing must be disabled.Web Administrator
Checks: C-32785r3_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Directory browsing icon. 4. In the Actions Pane ensure Directory Browsing is disabled. If not, this is a finding.

Fix: F-28974r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Directory browsing icon. 4. Click Disable in the Actions Pane to disable Directory Browsing.

b
A private web-site must utilize certificates from a trusted DoD CA.
Medium - V-13620 - SV-32473r2_rule
RMF Control
Severity
Medium
CCI
Version
WG355 IIS7
Vuln IDs
  • V-13620
Rule IDs
  • SV-32473r2_rule
The use of a DoD PKI certificate ensures clients the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.System AdministratorInformation Assurance OfficerWeb Administrator
Checks: C-32790r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Bindings in the Action Pane. 4. Click the HTTPS type from the box. 5. Click Edit. 6. Click View, review and verify the certificate path. If the list of CAs in the trust hierarchy does not lead to the DoD PKI Root CA, DoD-approved external certificate authority (ECA), or DoD-approved external partner, this is a finding. If HTTPS is not an available type under site bindings, this is a finding.

Fix: F-29071r1_fix

1. Open the IIS Manager. 2. Click the Server name. 3. Double-Click Server Certificates. 4. Click Import under the Actions Pane. 5. Browse to the DoD certificate location, select it, and click OK. 6. Remove any non-DoD certificates if present. 7. Click on the site needing the certificate. 8. Select Bindings under the Actions Pane. 9. Click on the binding needing a certificate and select edit, or add a site binding for HTTPS and execute step 10. 10. Assign the certificate to the web site by choosing it under the SSL Certificate drop down and clicking OK.

c
Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory.
High - V-13686 - SV-14278r2_rule
RMF Control
Severity
High
CCI
Version
WG235
Vuln IDs
  • V-13686
Rule IDs
  • SV-14278r2_rule
Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.Web Administrator
Checks: C-30006r1_chk

Query the SA to determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding.

Fix: F-26857r1_fix

Use only secure encrypted logons and connections for uploading files to the web site.

b
Log files must consist of the required data fields.
Medium - V-13688 - SV-32480r3_rule
RMF Control
Severity
Medium
CCI
Version
WG242 IIS7
Vuln IDs
  • V-13688
Rule IDs
  • SV-32480r3_rule
Log files are a critical component to the successful management of an IS used within the DoD. By generating log files with useful information web administrators can leverage them in the event of a disaster, malicious attack, or other site specific needs.System AdministratorWeb Administrator
Checks: C-32795r2_chk

Follow the procedures below for each site under review: 1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Under Format select W3C. 5. Click Select Fields, ensure at a minimum the following fields are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer. If logging is not enabled, this is a finding.

Fix: F-29074r1_fix

1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Under Format select W3C. 5. Select the following fields: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer.

b
Access to the web-site log files must be restricted.
Medium - V-13689 - SV-46353r5_rule
RMF Control
Severity
Medium
CCI
Version
WG255 IIS7
Vuln IDs
  • V-13689
Rule IDs
  • SV-46353r5_rule
A major tool in exploring the web-site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.System AdministratorWeb Administrator
Checks: C-32797r5_chk

Follow the procedures below for each site under review: 1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Beside Directory, Click Browse. 5. Right-click the log file name to review and click Properties. 6. Click the Security tab; ensure only authorized groups are listed, if others are listed, this is a finding.

Fix: F-28988r2_fix

1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Beside Directory, Click Browse. 5. Right-click the log file name to review and click Properties. 6. Click the Security tab. 7. Set the log file permissions for the appropriate group.

b
Public web servers must use TLS if authentication is required.
Medium - V-13694 - SV-32483r3_rule
RMF Control
Severity
Medium
CCI
Version
WG342 IIS7
Vuln IDs
  • V-13694
Rule IDs
  • SV-32483r3_rule
Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems. System AdministratorWeb Administrator
Checks: C-32799r5_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click SSL icon. 4. Ensure Require SSL and Require 128-bit SSL are checked. Note: If the Require SSL 128-Bit setting is not visible, the setting can be viewed by clicking the site under review and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. The value for sslFlags should be ssl128. If not, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL\TLS also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value "Enabled", this would also be a finding. The keys for TLS 1.0 do not require the "Enabled" value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS. If the "Enabled" value is present and set to 0, this is a finding. TLS 1.1 and 1.2 are not supported in versions prior to IIS 7.5. If the version of IIS is prior to 7.5, the check for TLS 1.1 and 1.2 is NA. TLS 1.1 and 1.2 are not enabled by default, therefore the following registry keys must exist and contain the the following values to enable TLS 1.1 and 1.2. DisabledByDefault REG_DWORD 0 Enabled REG_DWORD 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server If any of the registry keys for TLS 1.1 or TLS 1.2 are not present or are not set correctly, this is a finding.

Fix: F-29075r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click SSL icon. 4. Check the Require SSL and Require 128-bit SSL check box.

a
The Content Location header must not contain proprietary IP addresses.
Low - V-13702 - SV-32514r2_rule
RMF Control
Severity
Low
CCI
Version
WA000-WI120 IIS7
Vuln IDs
  • V-13702
Rule IDs
  • SV-32514r2_rule
When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.Web Administrator
Checks: C-32823r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Configuration Editor. 4. From the drop-down box select system.webserver serverRuntime. If alternateHostName has no assigned value, this is a finding.

Fix: F-28934r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Configuration Editor. 4. Click the drop-down box located at the top of the Configuration Editor Pane. 5. Scroll until you find system.webserver/serverRuntime, double-click the element, and add the appropriate value.

b
The website must have a unique application pool.
Medium - V-13703 - SV-32515r2_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6010 IIS7
Vuln IDs
  • V-13703
Rule IDs
  • SV-32515r2_rule
Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool. Web Administrator
Checks: C-32824r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section review the application pool name. 5. If any websites share an application pool, this is a finding.

Fix: F-28935r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section click on the application pool name, then click on the application pool selection button. 5. Select the desired application pool in the application pool dialogue box.

b
The application pool must have a recycle time set.
Medium - V-13704 - SV-46344r4_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6020 IIS7
Vuln IDs
  • V-13704
Rule IDs
  • SV-46344r4_rule
Application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks.Web Administrator
Checks: C-32828r10_chk

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight the desired application pool and click Recycling... in the Action Pane. 4. Review the Fixed Intervals section. If both Regular time intervals and Specific time(s) are unchecked, this is a finding. If only Regular Time Intervals is checked and the value is set to 0, this is a finding. NOTE: Do not click Recycle!

Fix: F-28939r4_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an application pool and click Recycling... in the Action Pane. 4. Choose a fixed interval type of fixed time and/or specific time. If regular time interval is the only type chosen, then the value entered must be greater than 0. NOTE: Do not click Recycle!

b
The maximum number of requests an application pool can process must be set.
Medium - V-13705 - SV-46345r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6022 IIS7
Vuln IDs
  • V-13705
Rule IDs
  • SV-46345r3_rule
IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.Web Administrator
Checks: C-32854r8_chk

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Request Limit is set to a value other than 0. If not, this is a finding.

Fix: F-28989r2_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Request Limit to a value other than 0.

b
The amount of virtual memory an application pool uses must be set.
Medium - V-13706 - SV-46347r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6024 IIS7
Vuln IDs
  • V-13706
Rule IDs
  • SV-46347r3_rule
IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.Web Administrator
Checks: C-32855r6_chk

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click on Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. In the advanced settings dialog box scroll down to the recycling section and ensure the value for Virtual Memory Limit is not set to 0. If it is, this is a finding.

Fix: F-28990r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. In the advanced settings dialog box scroll down to the recycling section and set the value for Virtual Memory Limit to a value other than 0.

b
The amount of private memory an application pool uses must be set.
Medium - V-13707 - SV-46349r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6026 IIS7
Vuln IDs
  • V-13707
Rule IDs
  • SV-46349r3_rule
IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.Web Administrator
Checks: C-32856r5_chk

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Private Memory Limit is set to a value other than 0. If not, this is a finding.

Fix: F-28991r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Private Memory Limit to a value other than 0.

b
The Idle Timeout monitor must be enabled.
Medium - V-13708 - SV-32572r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6028 IIS7
Vuln IDs
  • V-13708
Rule IDs
  • SV-32572r3_rule
The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received. The purpose of this attribute is to conserve system resources; the default value for idle time-out is 20 minutes. By default, the World Wide Web (WWW) service establishes an overlapped recycle, in which the worker process to be shut down is kept running until after a new worker process is started.Web Administrator
Checks: C-32857r2_chk

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Idle Time out is set to 20. If not, this is a finding. NOTE: If the site has operational reasons to set Idle Time out to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Fix: F-28992r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Idle Time-out to 20.

b
The maximum queue length for HTTP.sys must be managed.
Medium - V-13709 - SV-32573r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6030 IIS7
Vuln IDs
  • V-13709
Rule IDs
  • SV-32573r3_rule
In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the application pool.Web Administrator
Checks: C-32858r2_chk

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and ensure the value for Queue Length is set to 1000. If not, this is a finding. NOTE: If the site has operational reasons to set Queue Length to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Fix: F-28993r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and set the value for Queue Length to 1000.

b
An application pool’s pinging monitor must be enabled.
Medium - V-13710 - SV-32574r2_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6032 IIS7
Vuln IDs
  • V-13710
Rule IDs
  • SV-32574r2_rule
Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled to confirm worker processes are functional. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions; for example, instability caused by an application.Web Administrator
Checks: C-32859r1_chk

1. Open the Internet Information Services (IIS) Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Ping Enabled is set to True. If not, this is a finding.

Fix: F-28994r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Ping Enabled to True.

b
An application pool’s rapid fail protection must be enabled.
Medium - V-13711 - SV-32603r2_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6034 IIS7
Vuln IDs
  • V-13711
Rule IDs
  • SV-32603r2_rule
Rapid fail protection is a feature that interrogates the health of worker processes associated with web sites and web applications. It can be configured to perform a number of actions such as shutting down and restarting worker processes that have reached failure thresholds. By not setting rapid fail protection the web server could become unstable in the event of a worker process crash potentially leaving the web server unusable.Web Administrator
Checks: C-32864r1_chk

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Enabled is set to True. If not, this is a finding.

Fix: F-29008r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Enabled to True.

b
An application pool’s rapid fail protection settings must be managed.
Medium - V-13712 - SV-32605r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6036 IIS7
Vuln IDs
  • V-13712
Rule IDs
  • SV-32605r3_rule
Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid fail protection must be set to a suitable value. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or that it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions.Web Administrator
Checks: C-32865r2_chk

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Failure Interval is set to 5. If not, this is a finding. NOTE: If the site has operational reasons to set Failure Interval to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Fix: F-29009r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Failure Interval to 5.

c
The application pool identity must be defined for each web-site.
High - V-13713 - SV-46365r2_rule
RMF Control
Severity
High
CCI
Version
WA000-WI6040 IIS7
Vuln IDs
  • V-13713
Rule IDs
  • SV-46365r2_rule
The Worker Process Identity is the user defined to run an application pool. The IIS 7 worker processes, by default runs under the NetworkService account. Creating a custom identity for each application pool will better track issues occurring within each web-site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.Web Administrator
Checks: C-32866r3_chk

This check is only applicable when IIS is running on Windows Server 2008 SP2 or Windows Server 2008 R2. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Identity is set to ApplicationPoolIdentity, Network Service or a custom identity. If not, this is a finding.

Fix: F-29010r2_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Identity to ApplicationPoolIdentity, Network Service or a custom identity with rights and privileges equal to or less than the built-in security principle.

a
Web sites must utilize ports, protocols, and services according to PPSM guidelines.
Low - V-15334 - SV-33822r2_rule
RMF Control
Severity
Low
CCI
Version
WG610 IIS7
Vuln IDs
  • V-15334
Rule IDs
  • SV-33822r2_rule
Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. The IAM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List. Information Assurance Officer
Checks: C-33501r2_chk

Review the web site to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. 1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane, click Bindings. 4. Review the ports and protocols. If unknown ports or protocols are used, then this is a finding.

Fix: F-29201r1_fix

Ensure the web site enforces the use of HTTP and HTTPS in accordance with PPSM guidance. 1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane, click Bindings. 4. Edit to change an existing binding and set the correct ports and protocol.

a
Debug must be turned off on a production website.
Low - V-26011 - SV-32662r2_rule
RMF Control
Severity
Low
CCI
Version
WA000-WI6140 IIS7
Vuln IDs
  • V-26011
Rule IDs
  • SV-32662r2_rule
Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being display to users.Web Administrator
Checks: C-32876r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation. 4. Scroll down to the Behavior section and ensure the value for Debug is set to False. If not, this is a finding. NOTE: If the .NET feature is not installed, this check is not applicable.

Fix: F-29027r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation 4. Scroll down to the Behavior section and set the value for Debug to False.

b
The production website must utilize SHA1 encryption for Machine Key.
Medium - V-26026 - SV-33314r4_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6180 IIS7
Vuln IDs
  • V-26026
Rule IDs
  • SV-33314r4_rule
The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, forms authentication, membership and roles, and anonymous identification. Ensuring a strong encryption method can mitigate the risk of data tampering in crucial functional areas such as forms authentication cookies or view state.Web Administrator
Checks: C-32882r5_chk

1. Open the "IIS Manager". 2. Click the site name under review. 3. Double-click the "Machine Key" in the website "Home Pane". 4. Ensure "SHA1" is selected for the "Validation method". If not, this is a finding.

Fix: F-29031r4_fix

1. Open the "IIS Manager". 2. Click the site name under review. 3. Double-click the "Machine Key" in the website "Home Pane". 4. Set the "Validation method" to "SHA1".

a
The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients.
Low - V-26031 - SV-32682r2_rule
RMF Control
Severity
Low
CCI
Version
WA000-WI6165
Vuln IDs
  • V-26031
Rule IDs
  • SV-32682r2_rule
HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.Web Administrator
Checks: C-32885r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane. If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.

Fix: F-29033r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane; set each error message to “Detailed errors for local requests and custom error pages for remote requests”.

b
The production web-site must configure the Global .NET Trust Level.
Medium - V-26034 - SV-46354r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6200
Vuln IDs
  • V-26034
Rule IDs
  • SV-46354r3_rule
An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system.Web Administrator
Checks: C-32886r7_chk

Note: If the server being reviewed is a non-production website, this is Not Applicable. Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. If compatibility issues with applications require trust level to be less than "Medium", this check can be downgraded to a Cat III with supporting documentation from the Authorizing Official (AO). 1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the ".NET Trust Level" icon. 4. If the .NET Trust level is not set to "Medium" or less, this is a finding.

Fix: F-29034r2_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the ".NET Trust Level" icon. 4. Set the .NET Trust level to "Medium" or less and click "Apply".

b
The web-site must limit the number of bytes accepted in a request.
Medium - V-26041 - SV-32692r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6210
Vuln IDs
  • V-26041
Rule IDs
  • SV-32692r3_rule
By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of bytes the server will accept in a request.Web Administrator
Checks: C-32889r2_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxAllowedContentLength value is not set to 30000000, this is a finding. NOTE: If the site has operational reasons to set maxAllowedContentLength to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Fix: F-29035r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxAllowedContentLength value to 30000000.

b
The production web-site must limit the MaxURL.
Medium - V-26042 - SV-32693r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6220
Vuln IDs
  • V-26042
Rule IDs
  • SV-32693r3_rule
Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The MaxURL Request Filter limits the number of bytes the server will accept in a URL.Web Administrator
Checks: C-32890r2_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxURL value is not set to 4096, this is a finding. NOTE: If the site has operational reasons to set maxURL to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Fix: F-29036r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxURL value to 4096.

b
The production web-site must configure the Maximum Query String limit.
Medium - V-26043 - SV-32694r3_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6230
Vuln IDs
  • V-26043
Rule IDs
  • SV-32694r3_rule
By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter describes the upper limit on allowable query string lengths. Upon exceeding the configured value, IIS will generate a Status Code 404.15.Web Administrator
Checks: C-32891r2_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the Maximum Query String value is not set to 2048, this is a finding. NOTE: If the site has operational reasons to set Maximum Query String to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Fix: F-29037r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the Maximum Query String value to 2048.

b
The web-site must not allow non-ASCII characters in URLs.
Medium - V-26044 - SV-32695r4_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6240
Vuln IDs
  • V-26044
Rule IDs
  • SV-32695r4_rule
By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.Web Administrator
Checks: C-32892r3_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow high-bit characters checkbox is checked, this is a finding. NOTE: If the site has operational reasons to set allow high-bit characters to checked, this vulnerability can be documented locally by the ISSM/ISSO.

Fix: F-29038r2_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow high-bit characters checkbox.

b
The web-site must not allow double encoded URL requests.
Medium - V-26045 - SV-32696r2_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6250
Vuln IDs
  • V-26045
Rule IDs
  • SV-32696r2_rule
Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. When the allow double escaping option is disabled it prevents attacks that rely on double-encoded requests.Web Administrator
Checks: C-32893r1_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow double escaping checkbox is checked, this is a finding.

Fix: F-29039r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow double escaping checkbox.

b
The production web-site must filter unlisted file extensions in URL requests.
Medium - V-26046 - SV-32697r2_rule
RMF Control
Severity
Medium
CCI
Version
WA000-WI6260
Vuln IDs
  • V-26046
Rule IDs
  • SV-32697r2_rule
Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The allow unlisted property of the File Extensions Request Filter enables rejection of requests containing specific file extensions not defined in the File Extensions filter. Tripping this filter will cause IIS to generate a Status Code 404.7.Web Administrator
Checks: C-32894r1_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If allow unlisted file extensions checkbox is checked, this is a finding.

Fix: F-29040r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow unlisted file extensions checkbox.

c
The installed version of IIS must be a supported version.
CM-6 - High - CCI-000370 - V-99015 - SV-108119r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
WG500
Vuln IDs
  • V-99015
Rule IDs
  • SV-108119r1_rule
Unsupported versions of the operating system do not contain new security-related features and security patches that address known vulnerabilities. Software or hardware no longer supported by the manufacturer or vendor are not maintained or updated for current vulnerabilities, leaving them open to potential attack.
Checks: C-97855r1_chk

Procedure: Open IIS Manager, Select Help, Select About IIS. Microsoft support for Internet Information Services (IIS) 7 ended 2020 January. If IIS 7 is installed on a system, this is a finding.

Fix: F-104691r1_fix

Upgrade IIS to a supported software version.