IIS 7.0 WEB SITE STIG

Details

Version / Release: V1R10

Published: 2016-02-11

Updated At: 2018-09-23 02:54:17

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-32529r2_rule WG210 IIS7 MEDIUM Web content directories must not be anonymously shared. Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit this access and compromise the web content or cause web server performance problems.System AdministratorWeb Administ
    SV-32327r2_rule WG400 IIS7 MEDIUM All interactive programs must be placed in unique designated folders. CGI & ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI & ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into
    SV-32326r2_rule WG410 IIS7 MEDIUM All interactive programs must have restrictive access controls. CGI is a programming standard for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does repres
    SV-32630r2_rule WG420 IIS7 LOW Backup interactive scripts must be removed from the web site. Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful
    SV-32323r3_rule WG110 IIS7 MEDIUM Web sites must limit the number of simultaneous requests. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web-site, facilitating a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP addr
    SV-32324r2_rule WG170 IIS7 LOW Each readable web document directory must contain a default, home, index, or equivalent document. The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, e
    SV-32329r3_rule WG230 IIS7 HIGH Web server/site administration must be performed over a secure path. Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administra
    SV-32636r2_rule WG240 IIS7 MEDIUM Web-site logging must be enabled. A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. System
    SV-39694r2_rule WG250 IIS7 MEDIUM Only auditors, SAs or web administrators may access web server log files. A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the inte
    SV-2254r3_rule WG260 MEDIUM Only web sites that have been fully reviewed and tested will exist on a production web server. In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of tria
    SV-32331r2_rule WG290 IIS7 HIGH Access to the web content and script directories must be restricted. Excessive permission for the anonymous web user account is a common fault contributing to the compromise of a web server. If this account is able to upload and execute files on the web server, the organization or owner of the server will no longer have co
    SV-32333r4_rule WG310 IIS7 MEDIUM A web site must not contain a robots.txt file. Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and c
    SV-32334r4_rule WG340 IIS7 MEDIUM A private web server must utilize an approved TLS version. Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily
    SV-32531r2_rule WG350 IIS7 MEDIUM A private web server must have a valid server certificate. This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate
    SV-32335r3_rule WA000-WI050 IIS7 HIGH Unapproved script mappings in IIS 7 must be removed. IIS 7 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 7, Request Filtering and Handler Mappings. For Handler Mappings, the ISSO must document and appr
    SV-32378r2_rule WG205 IIS7 MEDIUM The web document (home) directory must be in a separate partition from the web server’s system files. The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file the risk for unauthorized access to these pr
    SV-32379r2_rule WA000-WI070 IIS7 LOW Indexing Services must only index web content. The indexing service can be used to facilitate a search function for web-sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.S
    SV-32642r3_rule WG265 IIS7 LOW The required DoD banner page must be displayed to authenticated users accessing a DoD private website. A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information s
    SV-32380r3_rule WG140 IIS7 MEDIUM A private web-sites authentication mechanism must use client certificates. A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication
    SV-32644r2_rule WG520 IIS7 LOW All web-sites must be assigned a default Host header. In order to reduce the possibility of DNS rebinding attacks and IP-based scans, all web-sites allowing HTTP/HTTPS over ports 80/443 will be assigned default Host headers.System AdministratorWeb AdministratorECSC-1
    SV-32466r2_rule WA000-WI090 IIS7 MEDIUM Directory Browsing must be disabled. The Directory Browsing feature can be used to facilitate a directory traversal exploit. Directory browsing must be disabled.Web AdministratorECSC-1
    SV-32473r2_rule WG355 IIS7 MEDIUM A private web-site must utilize certificates from a trusted DoD CA. The use of a DoD PKI certificate ensures clients the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.System AdministratorInformation Assurance OfficerWeb AdministratorIATS-1, IATS-2
    SV-14278r2_rule WG235 HIGH Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory. Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed a
    SV-32480r2_rule WG242 IIS7 MEDIUM Log files must consist of the required data fields. Log files are a critical component to the successful management of an IS used within the DoD. By generating log files with useful information web administrators can leverage them in the event of a disaster, malicious attack, or other site specific needs.
    SV-46353r2_rule WG255 IIS7 MEDIUM Access to the web-site log files must be restricted. A major tool in exploring the web-site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect
    SV-32483r3_rule WG342 IIS7 MEDIUM Public web servers must use TLS if authentication is required. Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would b
    SV-32514r2_rule WA000-WI120 IIS7 LOW The Content Location header must not contain proprietary IP addresses. When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This head
    SV-32515r2_rule WA000-WI6010 IIS7 MEDIUM The website must have a unique application pool. Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool. Web Admini
    SV-46344r3_rule WA000-WI6020 IIS7 MEDIUM The application pool must have a recycle time set. Application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks.Web AdministratorECSC-1
    SV-46345r3_rule WA000-WI6022 IIS7 MEDIUM The maximum number of requests an application pool can process must be set. IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept runni
    SV-46347r3_rule WA000-WI6024 IIS7 MEDIUM The amount of virtual memory an application pool uses must be set. IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept runni
    SV-46349r3_rule WA000-WI6026 IIS7 MEDIUM The amount of private memory an application pool uses must be set. IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept runni
    SV-32572r3_rule WA000-WI6028 IIS7 MEDIUM The Idle Timeout monitor must be enabled. The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received. The purpose of this attribute is to conserve syste
    SV-32573r3_rule WA000-WI6030 IIS7 MEDIUM The maximum queue length for HTTP.sys must be managed. In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the application pool.Web AdministratorECSC-1
    SV-32574r2_rule WA000-WI6032 IIS7 MEDIUM An application pool’s pinging monitor must be enabled. Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled to confirm worker processes are functional. A lack of res
    SV-32603r2_rule WA000-WI6034 IIS7 MEDIUM An application pool’s rapid fail protection must be enabled. Rapid fail protection is a feature that interrogates the health of worker processes associated with web sites and web applications. It can be configured to perform a number of actions such as shutting down and restarting worker processes that have reached
    SV-32605r3_rule WA000-WI6036 IIS7 MEDIUM An application pool’s rapid fail protection settings must be managed. Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid fail protection must be set to a suitable value. A lack of response from the worker process might mean
    SV-46365r2_rule WA000-WI6040 IIS7 HIGH The application pool identity must be defined for each web-site. The Worker Process Identity is the user defined to run an application pool. The IIS 7 worker processes, by default runs under the NetworkService account. Creating a custom identity for each application pool will better track issues occurring within each w
    SV-33822r2_rule WG610 IIS7 LOW Web sites must utilize ports, protocols, and services according to PPSM guidelines. Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. The IAM will ensure web servers are configured to use only authorized PPS in accordance
    SV-32662r2_rule WA000-WI6140 IIS7 LOW Debug must be turned off on a production website. Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being display to users.Web AdministratorECSC-1
    SV-33314r2_rule WA000-WI6180 IIS7 MEDIUM The production web-site must utilize SHA1 encryption for Machine Key. The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, forms
    SV-32682r2_rule WA000-WI6165 LOW The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients. HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potenti
    SV-46354r2_rule WA000-WI6200 MEDIUM The production web-site must configure the Global .NET Trust Level. An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications r
    SV-32692r3_rule WA000-WI6210 MEDIUM The web-site must limit the number of bytes accepted in a request. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of bytes the server will accept in a request.Web Administrator
    SV-32693r3_rule WA000-WI6220 MEDIUM The production web-site must limit the MaxURL. Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it helps to ensure availability of web services and may also help
    SV-32694r3_rule WA000-WI6230 MEDIUM The production web-site must configure the Maximum Query String limit. By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter describes the upper limit on allowable query string lengths.
    SV-32695r4_rule WA000-WI6240 MEDIUM The web-site must not allow non-ASCII characters in URLs. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.Web Administrato
    SV-32696r2_rule WA000-WI6250 MEDIUM The web-site must not allow double encoded URL requests. Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type atta
    SV-32697r2_rule WA000-WI6260 MEDIUM The production web-site must filter unlisted file extensions in URL requests. Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow