Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
1. Open the IIS Manager. 2. Click the site name under review. 3. Click Edit Permissions on the Actions Pane. 4. Click the Sharing tab. 5. If there are any anonymous shares under Network File and Folder sharing, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click Edit Permissions on the Actions Pane. 4. Select the Sharing button. 5. Click Share and then click stop sharing.
Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the web site does not utilize CGI or ASP, this finding is N/A. All interactive programs must be placed in unique designated folders based on CGI or ASP script type. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Each script type must be in its unique designated folder. If scripts are not segregated from web content and in their own unique folders, then this is a finding.
All interactive programs must be placed in unique designated folders based on CGI or ASP script type. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Move each script type to its unique designated folder. 5. Set the permissions to the scripts folders as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ
Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the web site does not utilize CGI, this finding is N/A. All interactive programs must have restrictive permissions. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Set the permissions to the CGI scripts as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ If the permissions listed above are less restrictive, this is a finding.
All interactive programs must have restrictive permissions. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 4. Search for the listed script extensions. 5. Set the permissions to the CGI scripts as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ
This check is limited to CGI/interactive content and not static HTML. Search the IIS Root and Site Directories for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or ‘copy of...’. If files with these extensions are found, this is a finding.
Remove the backup files from the production web site.
1. Open an administrator command prompt. 2. CD \Windows\system32\inetsrv 3. Enter the command: appcmd list config /section:system.applicationHost/sites > out.txt (opens output in Notepad). 4. Review the results and verify each website has a value greater than zero listed for maxconnections parameter. If not, this is a finding. If nothing is listed, this is also a finding.
For the site under review, determine the maximum number of connections needed. 1. Open an administrator command prompt. 2. CD \Windows\system32\inetserv 3. Enter the command: appcmd set config -section:system.applicationHost/sites "/[name='Default Web Site'].limits.maxConnections:X" /commit:apphost Note: Replace SITENAME with the site under review and X with the maximum number of connections allowable. 4. Enter the command to verify changes: appcmd list config –section:system.applicationHost/sites>out.txt (opens output in Notepad).
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Default Document. 4. In the Actions Pane, verify the Default Document feature is enabled. If not, this is a finding. 5. Review the document types. 6. Click the Content View tab and ensure there is a document of that type in the directory. If not, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Default Document. 4. In the Action pane select Enable. 5. Click the Content View tab and ensure there is a document of that type in the directory.
If web administration is performed at the console, this check is NA. If web administration is performed remotely the following checks will apply: If administration of the server is performed remotely, it will only be performed securely by system administrators. If web site administration or web application administration has been delegated, those users will be documented and approved by the ISSO. Remote administration must be in compliance with any requirements contained within the Windows Server STIGs, and any applicable network STIGs. Remote administration of any kind will be restricted to documented and authorized personnel. All users performing remote administration must be authenticated. All remote sessions will be encrypted and they will utilize FIPS 140-2 approved protocols. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. Review with site management how remote administration, if applicable, is configured on the web site. If remote management meets the criteria listed above, this is not a finding. If remote management is utilized and does not meet the criteria listed above, this is a finding.
Ensure the web server administration is only performed over a secure path.
1. Open the IIS Manager. 2. Click the site name. 3. Double-click Logging 4. Ensure logging is enabled. If logging is not enabled, this is a finding.
1. Open the IIS Manager. 2. Click the site name. 3. Double-click Logging. 4. Click the Enable option from the Action Pane, click apply.
Query the ISSO, the SA, and the web administrator to find out if development web sites are being housed on production web servers. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? The reviewer can also do a manual check or perform a navigation of the web site via a browser could be used to confirm the information provided from interviewing the web staff. Graphics or texts which proclaim Under Construction or Under Development are frequently used to mark folders or directories in that status. If Under Construction or Under Development web content is discovered on the production web server, this is a finding.
The presences of portions of the web site that proclaim Under Construction or Under Development are clear indications that a production web server is being used for development. The web administrator will ensure that all pages that are in development are not installed on a production web server.
1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane select Edit Permissions. 4. Select the Security tab. 5. Review the permissions for the accounts. If the IUSR or Everyone Account permission is greater than read, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane select Edit Permissions. 4. Select the Security tab. 5. Set the permissions for the accounts IUSR and Everyone to read.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Content View tab. 4. If the robots.txt file does exist, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Under the Actions pane, click Explore. 4. Delete the robots.txt file. NOTE: If there is information on the web site that needs protection from search engines and public view, then other methods must be used to safeguard the data.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings Icon. 4. Ensure Require SSL and Require SSL 128-Bit are checked. Note: If the Required SSL 128-Bit setting is not visible, the setting can be viewed by clicking the site under review and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. The value for sslFlags should be ssl128. If not, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL\TLS also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value "Enabled", this would also be a finding. The keys for TLS 1.0 do not require the "Enabled" value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS. If the "Enabled" value is present and set to 0, this is a finding. TLS 1.1 and 1.2 are not supported in versions prior to IIS 7.5. If the version of IIS is prior to 7.5, the check for TLS 1.1 and 1.2 is NA. TLS 1.1 and 1.2 are not enabled by default, therefore the following registry keys must exist and contain the the following values to enable TLS 1.1 and 1.2. DisabledByDefault REG_DWORD 0 Enabled REG_DWORD 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server If any of the registry keys for TLS 1.1 or TLS 1.2 are not present or are not set correctly, this is a finding. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificate for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings Icon. 4. Click the Require SSL and Require SSL 128-Bit check boxes. Note: If the Required SSL 128-Bit setting is not visible, the setting can be set by clicking the site node and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. Click the value beside the sslFlags and select ssl128 in the dropdown list. 5. Set the version of SSL/TLS by creating and setting the following registry to not allow anything lower than TLS. Ensure the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS.
1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Double-Click each certificate and verify the certificate path is to a DoD root CA. If not, this is a finding.
1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Import a valid DoD certificate and remove any non-DoD certificates.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click on Handler Mappings. If any file extensions on the black list are configured with a Handler Mapping, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click on Handler Mappings. 4. Remove any file extensions which are listed on the black list and for which a Handler Mapping has been configured.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings from the "Actions" Pane. 4. Review the Physical Path. If the Path is on the same partition as the OS, this is a finding. Note: If the ISSO has accepted the risk of not configuring this setting due to hosted application operability issues or failures, this is not a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings from the Actions Pane. 4. Change the Physical Path to the new partition and directory location.
1. Start regedit. 2. Navigate to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\. 3. If this key exists then indexing is enabled; if the key does not exist then this check is N/A. 4. Review the Catalogs keys to determine if directories other than web document directories are being indexed. If so, this is a finding.
1. Run MMC. 2. Add the Indexing Service snap-in. 3. Edit the indexed directories to only include web document directories.
The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. If a banner is required, the following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” OR If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: "I've read & consent to terms in IS user agreem't." NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. If the access-controlled website does not display this banner page before entry, this is a finding.
Configure a DoD private website to display the required DoD banner page when authentication is required for user access.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings icon. 4. Ensure Clients Certificate Required is checked. If not, this is a finding. NOTE: If the site has operational reasons to set Clients Certificate Required to unchecked, this vulnerability can be documented locally by the ISSM/ISSO.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings icon. 4. Click Clients Certificate Required button.
1. Open the IIS Manager. 2. In the “Connections” pane, expand the “Sites” node in the tree. Select the site name under review. 3. In the “Actions” pane, select “Bindings”. 4. Each site should have a hostname entry (at a minimum) and specific IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. If not, this is a finding.
1. Open the IIS Manager. 2. In the “Connections” pane, expand the “Sites” node in the tree. Select the site name under review. 3. In the “Actions” pane, select “Bindings”. 4. In the “Site Bindings” dialog box, select the binding to add a host header and then click “Edit” or “Add”. 5. In the “Host” name box, type a host header for the site for both port 80 for HTTP and port 443 for HTTPS. 6. Click “OK”.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click Directory browsing icon. 4. In the Actions Pane ensure Directory Browsing is disabled. If not, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click Directory browsing icon. 4. Click Disable in the Actions Pane to disable Directory Browsing.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click Bindings in the Action Pane. 4. Click the HTTPS type from the box. 5. Click Edit. 6. Click View, review and verify the certificate path. If the list of CAs in the trust hierarchy does not lead to the DoD PKI Root CA, DoD-approved external certificate authority (ECA), or DoD-approved external partner, this is a finding. If HTTPS is not an available type under site bindings, this is a finding.
1. Open the IIS Manager. 2. Click the Server name. 3. Double-Click Server Certificates. 4. Click Import under the Actions Pane. 5. Browse to the DoD certificate location, select it, and click OK. 6. Remove any non-DoD certificates if present. 7. Click on the site needing the certificate. 8. Select Bindings under the Actions Pane. 9. Click on the binding needing a certificate and select edit, or add a site binding for HTTPS and execute step 10. 10. Assign the certificate to the web site by choosing it under the SSL Certificate drop down and clicking OK.
Query the SA to determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding.
Use only secure encrypted logons and connections for uploading files to the web site.
Follow the procedures below for each site under review: 1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Under Format select W3C. 5. Click Select Fields, ensure at a minimum the following fields are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer. If logging is not enabled, this is a finding.
1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Under Format select W3C. 5. Select the following fields: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer.
Follow the procedures below for each site under review: 1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Beside Directory, Click Browse. 5. Right-click the log file name to review and click Properties. 6. Click the Security tab; ensure only authorized groups are listed, if others are listed, this is a finding.
1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Beside Directory, Click Browse. 5. Right-click the log file name to review and click Properties. 6. Click the Security tab. 7. Set the log file permissions for the appropriate group.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click SSL icon. 4. Ensure Require SSL and Require 128-bit SSL are checked. Note: If the Require SSL 128-Bit setting is not visible, the setting can be viewed by clicking the site under review and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. The value for sslFlags should be ssl128. If not, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL\TLS also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value "Enabled", this would also be a finding. The keys for TLS 1.0 do not require the "Enabled" value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS. If the "Enabled" value is present and set to 0, this is a finding. TLS 1.1 and 1.2 are not supported in versions prior to IIS 7.5. If the version of IIS is prior to 7.5, the check for TLS 1.1 and 1.2 is NA. TLS 1.1 and 1.2 are not enabled by default, therefore the following registry keys must exist and contain the the following values to enable TLS 1.1 and 1.2. DisabledByDefault REG_DWORD 0 Enabled REG_DWORD 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server If any of the registry keys for TLS 1.1 or TLS 1.2 are not present or are not set correctly, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click SSL icon. 4. Check the Require SSL and Require 128-bit SSL check box.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Configuration Editor. 4. From the drop-down box select system.webserver serverRuntime. If alternateHostName has no assigned value, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Configuration Editor. 4. Click the drop-down box located at the top of the Configuration Editor Pane. 5. Scroll until you find system.webserver/serverRuntime, double-click the element, and add the appropriate value.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section review the application pool name. 5. If any websites share an application pool, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section click on the application pool name, then click on the application pool selection button. 5. Select the desired application pool in the application pool dialogue box.
Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight the desired application pool and click Recycling... in the Action Pane. 4. Review the Fixed Intervals section. If both Regular time intervals and Specific time(s) are unchecked, this is a finding. If only Regular Time Intervals is checked and the value is set to 0, this is a finding. NOTE: Do not click Recycle!
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an application pool and click Recycling... in the Action Pane. 4. Choose a fixed interval type of fixed time and/or specific time. If regular time interval is the only type chosen, then the value entered must be greater than 0. NOTE: Do not click Recycle!
Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Request Limit is set to a value other than 0. If not, this is a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Request Limit to a value other than 0.
Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click on Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. In the advanced settings dialog box scroll down to the recycling section and ensure the value for Virtual Memory Limit is not set to 0. If it is, this is a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. In the advanced settings dialog box scroll down to the recycling section and set the value for Virtual Memory Limit to a value other than 0.
Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Private Memory Limit is set to a value other than 0. If not, this is a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Private Memory Limit to a value other than 0.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Idle Time out is set to 20. If not, this is a finding. NOTE: If the site has operational reasons to set Idle Time out to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Idle Time-out to 20.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and ensure the value for Queue Length is set to 1000. If not, this is a finding. NOTE: If the site has operational reasons to set Queue Length to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and set the value for Queue Length to 1000.
1. Open the Internet Information Services (IIS) Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Ping Enabled is set to True. If not, this is a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Ping Enabled to True.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Enabled is set to True. If not, this is a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Enabled to True.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Failure Interval is set to 5. If not, this is a finding. NOTE: If the site has operational reasons to set Failure Interval to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Failure Interval to 5.
This check is only applicable when IIS is running on Windows Server 2008 SP2 or Windows Server 2008 R2. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Identity is set to ApplicationPoolIdentity, Network Service or a custom identity. If not, this is a finding.
1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Identity to ApplicationPoolIdentity, Network Service or a custom identity with rights and privileges equal to or less than the built-in security principle.
Review the web site to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. 1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane, click Bindings. 4. Review the ports and protocols. If unknown ports or protocols are used, then this is a finding.
Ensure the web site enforces the use of HTTP and HTTPS in accordance with PPSM guidance. 1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane, click Bindings. 4. Edit to change an existing binding and set the correct ports and protocol.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation. 4. Scroll down to the Behavior section and ensure the value for Debug is set to False. If not, this is a finding. NOTE: If the .NET feature is not installed, this check is not applicable.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation 4. Scroll down to the Behavior section and set the value for Debug to False.
1. Open the "IIS Manager". 2. Click the site name under review. 3. Double-click the "Machine Key" in the website "Home Pane". 4. Ensure "SHA1" is selected for the "Validation method". If not, this is a finding.
1. Open the "IIS Manager". 2. Click the site name under review. 3. Double-click the "Machine Key" in the website "Home Pane". 4. Set the "Validation method" to "SHA1".
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane. If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane; set each error message to “Detailed errors for local requests and custom error pages for remote requests”.
Note: If the server being reviewed is a non-production website, this is Not Applicable. Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. If compatibility issues with applications require trust level to be less than "Medium", this check can be downgraded to a Cat III with supporting documentation from the Authorizing Official (AO). 1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the ".NET Trust Level" icon. 4. If the .NET Trust level is not set to "Medium" or less, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the ".NET Trust Level" icon. 4. Set the .NET Trust level to "Medium" or less and click "Apply".
For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxAllowedContentLength value is not set to 30000000, this is a finding. NOTE: If the site has operational reasons to set maxAllowedContentLength to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxAllowedContentLength value to 30000000.
For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxURL value is not set to 4096, this is a finding. NOTE: If the site has operational reasons to set maxURL to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxURL value to 4096.
For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the Maximum Query String value is not set to 2048, this is a finding. NOTE: If the site has operational reasons to set Maximum Query String to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the Maximum Query String value to 2048.
For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow high-bit characters checkbox is checked, this is a finding. NOTE: If the site has operational reasons to set allow high-bit characters to checked, this vulnerability can be documented locally by the ISSM/ISSO.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow high-bit characters checkbox.
For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow double escaping checkbox is checked, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow double escaping checkbox.
For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If allow unlisted file extensions checkbox is checked, this is a finding.
1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow unlisted file extensions checkbox.
Procedure: Open IIS Manager, Select Help, Select About IIS. Microsoft support for Internet Information Services (IIS) 7 ended 2020 January. If IIS 7 is installed on a system, this is a finding.
Upgrade IIS to a supported software version.