IIS6 Server


Version / Release: V6R16

Published: 2015-06-01

Updated At: 2018-09-23 02:54:02

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-38188r1_rule WG050 IIS6 MEDIUM The web server service password(s) must be entrusted to the SA or Web Manager. Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to the web serve
    SV-38175r1_rule WG040 IIS6 MEDIUM Public web server resources must not be shared with private assets. It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives or other resources are directly shared between the public web server and private servers th
    SV-38189r1_rule WG060 IIS6 MEDIUM The service account ID used to run the web service must have its password changed at least annually. Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. The password on such accounts must be changed at least annually. It is a fundamental tenet of security that passwords are not t
    SV-38190r1_rule WG080 IIS6 MEDIUM A compiler must not be installed on a production web server. The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses.System AdministratorECSC-1
    SV-38169r2_rule WA060 IIS6 MEDIUM A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Onc
    SV-38170r1_rule WA070 IIS6 MEDIUM A private web server must be located on a separate controlled access subnet. Private web servers, which host sites serving controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web
    SV-38193r2_rule WG190 IIS6 HIGH The web server must use a vendor-supported version of the web server software. The web server Software, IIS 6, is no longer supported by Microsoft for security updates and is not evaluated or updated for vulnerabilities, leaving it open to potential attack. Organizations must transition to a supported IIS release to ensure continued
    SV-38194r2_rule WG200 IIS6 HIGH Non-administrators must not be allowed access to the directory tree, the shell, or other operating system functions and utilities. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. This is in addition to the anonymous web user account. The re
    SV-38326r2_rule WG220 IIS6 MEDIUM Access to web administration tools must be restricted to the Web Manager and the Web Manager’s designees. The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and adm
    SV-38191r2_rule WG130 IIS6 LOW Programs and features not necessary for operations must be removed. Just as running unneeded services and protocols increase the attack surface of the web server, running unneeded utilities and programs is also an added risk to the web server.Web AdministratorSystem AdministratorECSC-1
    SV-38171r1_rule WA120 IIS6 LOW Administrative users and groups with access privilege to the web server must be documented. There are typically several individuals and groups involved in running a production web site. In most cases, several types of users on a web server can be identified such as SA's, Web Managers, Auditors, Authors, Developers, and the Clients. Nonetheless,
    SV-31321r1_rule WG300 IIS6 MEDIUM Web server system files must conform to minimum file permission requirements. This check verifies the key web server system configuration files are owned by the SA or Web Manager controlled account. These same files which control the configuration of the web server, and thus its behavior, must also be accessible by the account whic
    SV-38328r1_rule WG330 IIS6 MEDIUM A public web server must limit e-mail to outbound only. Incoming e-mails have been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, e-mail is a specialized application requiring the dedication of server resources. A production web
    SV-38332r1_rule WG470 IIS6 MEDIUM Wscript.exe and Cscript.exe must not be accessible by users other than the SA and Web Manager. Windows Scripting Host (WSH) is installed under either a Typical or Custom installation option of a Microsoft Network Server. This technology permits the execution of powerful script files from the Windows NT command line. This technology is also classifi
    SV-38331r1_rule WG440 IIS6 MEDIUM Monitoring software must include CGI type files or equivalent programs. By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the server’s resources. These files make appealing targets f
    SV-38172r2_rule WA140 IIS6 LOW Web server content and configuration files must be part of a routine backup program. Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to the
    SV-29351r1_rule WG195 IIS6 HIGH Anonymous access accounts must be restricted. Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data
    SV-38196r1_rule WG204 IIS6 MEDIUM A web server must not be co-hosted with other services A detailed web server installation and configuration plan should be followed to provide standardization during the installation process. The installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Ser
    SV-30051r1_rule WG520 IIS6 LOW Web server and/or operating system information must be protected. The web server response header of an HTTP response can contain several fields of information including the requested HTML page. The information included in this response can be web server type and version, operating system and version, and ports associate
    SV-38150r1_rule WA000-WI080 IIS6 MEDIUM The IIS Internet Printing Protocol must be disabled. The use of Internet Printing Protocol (IPP) on an IIS web server allows client’s access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, IPP does not support SSL add
    SV-38173r2_rule WA155 IIS6 HIGH Classified web servers must be afforded physical security commensurate with the classification of its content. When data of a classified nature is migrated to a web server, fundamental principles applicable to the safeguarding of classified material must be followed. A classified web server needs to be afforded physical security commensurate with the classificatio
    SV-38174r2_rule WA230 IIS6 MEDIUM The site software used with the web server must have all applicable security patches applied and documented. The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services available to notify users of known security threats. The s
    SV-38330r1_rule WG385 IIS6 HIGH All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.)
    SV-38148r1_rule WA000-WI035 IIS6 HIGH The IISADMPWD directory must be removed from the Web server. The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certific
    SV-38151r2_rule WA000-WI100 IIS6 MEDIUM The File System Object component, if not required, must be disabled. Some COM components are not required for most applications and should be removed if possible. Most notably, consider disabling the File System Object component; however, this will also remove the Dictionary object. Be aware some programs may require com
    SV-38159r1_rule WA000-WI110 IIS6 HIGH The command shell options must be disabled. The command shell can be used to call arbitrary commands at the web server from within an HTML page. Web AdministratorECSC-1
    SV-38160r1_rule WA000-WI6080 IIS6 MEDIUM The AllowRestrictedChars registry key must be disabled. IIS6 Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. If the AllowRestrictedChars key is set to a nonzero value, Http.sys accepts hex-escaped chars in request URLs that decode to U+
    SV-38161r1_rule WA000-WI6082 IIS6 MEDIUM The EnableNonUTF8 registry key must be disabled. Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The EnableNonUTF8 registry key expands the amount of character types the web server accepts. Hackers can use this capability to sub
    SV-38162r1_rule WA000-WI6084 IIS6 MEDIUM The FavorUTF8 registry key must be set properly. Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any other encoding. Overlong encoding forms have been used to
    SV-38163r2_rule WA000-WI6086 IIS6 MEDIUM The MaxFieldLength registry entry must be set properly. By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size of any individual HTTP client request. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. Setting th
    SV-38164r2_rule WA000-WI6088 IIS6 MEDIUM The MaxRequestBytes registry entry must be set properly. Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The MaxRequestBytes registry key determines the upper limit for the total size of the HTTP request line and headers. If this value i
    SV-38165r1_rule WA000-WI6090 IIS6 MEDIUM The UrlSegmentMaxLength registry entry must be set properly. Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxLength key sets the maximum number of characters in a URL path segment (the area between the slashes in the URL). S
    SV-38166r1_rule WA000-WI6092 IIS6 MEDIUM The PercentUAllowed registry entry must be set properly. Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The PercentUAllowed key allows the web server to accept Unicode character syntax via ASCII (i.e., through the URL). Allowing this ty
    SV-38167r1_rule WA000-WI6094 IIS6 MEDIUM The UriMaxUriBytes registry entry must be set properly. Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UriMaxUriBytes key is used to set size limits on what is cached in the kernel response cache. Setting this value to large may ca
    SV-38168r1_rule WA000-WI6096 IIS6 MEDIUM The UrlSegmentMaxCount registry entry must be set properly. Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxCount value determines the maximum number of URL path segments accepted by the server. It effectively limits the nu