IIS 7.0 WEB SITE STIG V1R5

b

Web content directories must not be anonymously shared.

Medium - V-2226 - SV-32529r1_rule

RMF Control

Severity

M

CCI

Version

WG210 IIS7

Vuln IDs

V-2226

Rule IDs

SV-32529r1_rule

Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit this access and compromise the web content or cause web server performance problems.System AdministratorWeb AdministratorECCD-1, ECCD-2

Checks: C-32831r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Edit Permissions on the Actions Pane. 4. Click the Sharing tab. 5. If there are any anonymous shares under Network File and Folder sharing, this is a finding.

Fix: F-29056r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Edit Permissions on the Actions Pane. 4. Select the Sharing button. 5. Click Share and then click stop sharing.

b

All interactive programs must be placed in unique designated folders.

Medium - V-2228 - SV-32327r1_rule

RMF Control

Severity

M

CCI

Version

WG400 IIS7

Vuln IDs

V-2228

Rule IDs

SV-32327r1_rule

CGI & ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI & ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the SA control over what goes into those folders and to facilitate access control at the folder level.System AdministratorWeb AdministratorDCPA-1

Checks: C-32733r1_chk

Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the web site does not utilize CGI or ASP, this finding is N/A. All interactive programs must be placed in unique designated folders based on CGI or ASP script type. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Each script type must be in its unique designated folder. If scripts are not segregated from web content and in their own unique folders, then this is a finding.

Fix: F-29057r1_fix

All interactive programs must be placed in unique designated folders based on CGI or ASP script type. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Move each script type to its unique designated folder. 5. Set the permissions to the scripts folders as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ

b

All interactive programs must have restrictive access controls.

Medium - V-2229 - SV-32326r1_rule

RMF Control

Severity

M

CCI

Version

WG410 IIS7

Vuln IDs

V-2229

Rule IDs

SV-32326r1_rule

CGI is a programming standard for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and JavaScript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.Web AdministratorECLP-1

Checks: C-32732r1_chk

Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the web site does not utilize CGI, this finding is N/A. All interactive programs must have restrictive permissions. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Set the permissions to the CGI scripts as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ If the permissions listed above are less restrictive, this is a finding.

Fix: F-29058r1_fix

All interactive programs must have restrictive permissions. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 4. Search for the listed script extensions. 5. Set the permissions to the CGI scripts as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ

a

Backup interactive scripts must be removed from the web site.

Low - V-2230 - SV-32630r1_rule

RMF Control

Severity

L

CCI

Version

WG420 IIS7

Vuln IDs

V-2230

Rule IDs

SV-32630r1_rule

Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today to search web servers for such files and are able to exploit the information contained in them.System AdministratorWeb AdministratorECSC-1

Checks: C-30361r1_chk

This check is limited to CGI/interactive content and not static HTML. Search for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or ‘copy of...’. If files with these extensions are found, this is a finding.

Fix: F-29059r1_fix

Remove the backup files from the production web site.

b

Web sites must limit the number of simultaneous requests.

Medium - V-2240 - SV-32323r2_rule

RMF Control

Severity

M

CCI

Version

WG110 IIS7

Vuln IDs

V-2240

Rule IDs

SV-32323r2_rule

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web-site, facilitating a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive). Web AdministratorECSC-1

Checks: C-32730r3_chk

1. Open an administrator command prompt. 2. CD \Windows\system32\inetserv 3. Enter the command: appcmd list config /section:system.applicationHost/sites>out.txt (opens output in Notepad). 4. Review the results and verify each web site has a value greater than zero listed for maxconnections parameter. If not, this is a finding. If nothing is listed, this is also a finding.

Fix: F-29195r4_fix

For the site under review, determine the maximum number of connections needed. 1. Open an administrator command prompt. 2. CD \Windows\system32\inetserv 3. Enter the command: appcmd set config /section:system.applicationHost/sites "/[name='SITENAME'].limits. maxConnections:X" /commit:apphost Note: Replace SITENAME with the site under review and X with the maximum number of connections allowable. 5. Enter the command to verify changes: appcmd list config –section:system.applicationHost/sites>out.txt (opens output in Notepad).

a

Each readable web document directory must contain a default, home, index, or equivalent document.

Low - V-2245 - SV-32324r1_rule

RMF Control

Severity

L

CCI

Version

WG170 IIS7

Vuln IDs

V-2245

Rule IDs

SV-32324r1_rule

The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.Web AdministratorECAN-1, ECSC-1

Checks: C-32731r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Default Document. 4. In the Actions Pane, verify the Default Document feature is enabled. If not, this is a finding. 5. Review the document types. 6. Click the Content View tab and ensure there is a document of that type in the directory. If not, this is a finding.

Fix: F-29061r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Default Document. 4. In the Action pane select Enable. 5. Click the Content View tab and ensure there is a document of that type in the directory.

c

Web server/site administration must be performed over a secure path.

High - V-2249 - SV-32329r1_rule

RMF Control

Severity

H

CCI

Version

WG230 IIS7

Vuln IDs

V-2249

Rule IDs

SV-32329r1_rule

Logging into a web server via a telnet session or using HTTP or FTP to perform updates and maintenance carries risk because user IDs and passwords are passed in the plain text. A secure shell service or HTTPS should be used for these purposes. Another alternative is to administer the web server/site from the local console.System AdministratorEBRU-1, EBRP-1

Checks: C-32735r1_chk

1. Right-click the Computer icon, select Properties. 2. Click Remote Settings. 3. If Allow connections only from computers running remote desktop with Network Level Authentication is not selected, this is a finding.

Fix: F-29062r1_fix

1. Develop documentation listing those individuals who are authorized to perform remote administration. 2. Right-click the Computer icon, select Properties 3. Click Remote Settings 4. Select Allow connections only from computers running remote desktop with Network Level Authentication. 5. Click Select Users and add the users to the list the SA has documented as authorized to access the system remotely.

b

Web-site logging must be enabled.

Medium - V-2250 - SV-32636r1_rule

RMF Control

Severity

M

CCI

Version

WG240 IIS7

Vuln IDs

V-2250

Rule IDs

SV-32636r1_rule

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. System AdministratorWeb AdministratorECAT-2, ECAT-1

Checks: C-33496r1_chk

1. Open the IIS Manager. 2. Click the site name. 3. Double-click Logging 4. Ensure logging is enabled. If logging is not enabled, this is a finding.

Fix: F-29196r1_fix

1. Open the IIS Manager. 2. Click the site name. 3. Double-click Logging. 4. Click the Enable option from the Action Pane, click apply.

b

Only auditors, SAs or web administrators may access web server log files.

Medium - V-2252 - SV-39694r1_rule

RMF Control

Severity

M

CCI

Version

WG250 IIS7

Vuln IDs

V-2252

Rule IDs

SV-39694r1_rule

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the integrity of the log files and protect the SA and the web manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.System AdministratorWeb AdministratorECTP-1

Checks: C-29362r1_chk

Query the SA to determine who has update access to the web server log files. The role of auditor and the role of SA should be distinctly separate. An individual functioning as an Auditor should not also serve as an SA due to a conflict of interest. Only management authorized individuals with a privileged ID or group ID associated with an auditor role will have access permission to log files that are greater than read on web servers he or she has been authorized to audit. Only management authorized individuals with a privileged ID or group ID associated with either an SA or web administrator role may have read authority to log files for the web servers he or she has been authorized to administer. No other individuals may access log files. If IDs associated with roles other than auditors, SAs, or web administrators have any access to log files, this is a finding. If an SA or a web administrator has greater than read authority to log files, this is a finding. This check does not apply to service IDs utilized by automated services necessary to process, manage, and store log files.

Fix: F-27466r1_fix

Ensure that write or greater authority to web server log files is only granted to auditors. Ensure that only auditors, SAs, or web administrators may read web server log files.

c

Access to the web content and script directories must be restricted.

High - V-2258 - SV-32331r1_rule

RMF Control

Severity

H

CCI

Version

WG290 IIS7

Vuln IDs

V-2258

Rule IDs

SV-32331r1_rule

Excessive permission for the anonymous web user account is a common fault contributing to the compromise of a web server. If this account is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.System AdministratorWeb AdministratorECLP-1

Checks: C-32737r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane select Edit Permissions. 4. Select the Security tab. 5. Review the permissions for the accounts. If the IUSR or Everyone Account permission is greater than read, this is a finding.

Fix: F-29064r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane select Edit Permissions. 4. Select the Security tab. 5. Set the permissions for the accounts IUSR and Everyone to read.

b

A web site must not contain a robots.txt file.

Medium - V-2260 - SV-32333r3_rule

RMF Control

Severity

M

CCI

Version

WG310 IIS7

Vuln IDs

V-2260

Rule IDs

SV-32333r3_rule

Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used.Web AdministratorECLP-1

Checks: C-32739r4_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Content View tab. 4. If the robots.txt file does exist, this is a finding.

Fix: F-29066r5_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Under the Actions pane, click Explore. 4. Delete the robots.txt file. NOTE: If there is information on the web site that needs protection from search engines and public view, then other methods must be used to safeguard the data.

b

A private web server must utilize TLS v 1.0 or greater.

Medium - V-2262 - SV-32334r2_rule

RMF Control

Severity

M

CCI

Version

WG340 IIS7

Vuln IDs

V-2262

Rule IDs

SV-32334r2_rule

TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring its confidentiality. If private information is not encrypted, it could be intercepted and easily read by an unauthorized party.Web AdministratorECSC-1

Checks: C-32740r3_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Icon. 4. Ensure Require SSL and Require SSL 128-Bit are checked. Note: If the Require SSL 128-Bit setting is not visible, the setting can be viewed by clicking the site under review and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. The value for sslFlags should be ssl128. If not, this is a finding.

Fix: F-29067r3_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Icon. 4. Click the Require SSL and Require SSL 128-Bit check boxes. Note: If the Require SSL 128-Bit setting is not visible, the setting can be set by clicking the site node and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. Click the value beside the sslFlags and select ssl128 in the dropdown list.

b

A private web server must have a valid server certificate.

Medium - V-2263 - SV-32531r1_rule

RMF Control

Severity

M

CCI

Version

WG350 IIS7

Vuln IDs

V-2263

Rule IDs

SV-32531r1_rule

This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.Web AdministratorIATS-2, IATS-1

Checks: C-33498r1_chk

1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Double-Click each certificate and verify the certificate path is to a DoD root CA. If not, this is a finding.

Fix: F-29200r1_fix

1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Import a valid DoD certificate and remove any non-DoD certificates.

c

Unapproved script mappings in IIS 7 must be removed.

High - V-2267 - SV-32335r1_rule

RMF Control

Severity

H

CCI

Version

WA000-WI050 IIS7

Vuln IDs

V-2267

Rule IDs

SV-32335r1_rule

IIS 7 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 7, Request Filtering and Handler Mappings. For Handler Mappings, the IAO must document and approve all allowable file extensions the web site allows (white list) and denies (black list) by the web-site. The white list and black list will be compared to the Handler Mappings in IIS 7. Handler Mappings at the site level take precedence over Handler Mappings at the server level.Web AdministratorECSC-1

Checks: C-32741r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click Handler Mappings. 4. If any file extensions from the black list are enabled, this is a finding.

Fix: F-28820r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click Handler Mappings. 4. Disable any file extensions listed on the black list that are enabled.

b

The web document (home) directory must be in a separate partition from the web server’s system files.

Medium - V-3333 - SV-32378r1_rule

RMF Control

Severity

M

CCI

Version

WG205 IIS7

Vuln IDs

V-3333

Rule IDs

SV-32378r1_rule

The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file the risk for unauthorized access to these protected files is increased. Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.System AdministratorWeb AdministratorDCPA-1

Checks: C-32768r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings from the Actions Pane. 4. Review the Physical Path. If the Path is on the same partition as the OS, this is a finding.

Fix: F-29069r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings from the Actions Pane. 4. Change the Physical Path to the new partition and directory location.

a

Indexing Services must only index web content.

Low - V-3963 - SV-32379r1_rule

RMF Control

Severity

L

CCI

Version

WA000-WI070 IIS7

Vuln IDs

V-3963

Rule IDs

SV-32379r1_rule

The indexing service can be used to facilitate a search function for web-sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.System AdministratorWeb AdministratorECSC-1

Checks: C-32769r1_chk

1. Start regedit. 2. Navigate to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\. 3. If this key exists then indexing is enabled; if the key does not exist then this check is N/A. 4. Review the Catalogs keys to determine if directories other than web document directories are being indexed. If so, this is a finding.

Fix: F-29020r1_fix

1. Run MMC. 2. Add the Indexing Service snap-in. 3. Edit the indexed directories to only include web document directories.

a

The required DoD banner page must be displayed to authenticated users accessing a DoD private web-site.

Low - V-6373 - SV-32642r1_rule

RMF Control

Severity

L

CCI

Version

WG265 IIS7

Vuln IDs

V-6373

Rule IDs

SV-32642r1_rule

A consent banner will be in place to make prospective entrants aware that the web site they are about to enter is a DoD web site and their activity is subject to monitoring. The May 9, 2008 Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement, establishes interim policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for web sites with security and access controls. These are restricted and not publicly accessible. If the web site does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the web site via a browser can be used to confirm the information provided from interviewing the web staff.Web AdministratorECWM-1

Checks: C-33497r1_chk

The May 9, 2008 Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement, establishes interim policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for web sites with security and access controls. These are restricted and not publicly accessible. If the web site does not require authentication/authorization for use, then the banner does not need to be present. If a banner is required, the following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” OR If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: "I've read & consent to terms in IS user agreem't." NOTE: This has to be displayed only once when the individual enters the site and not for each page. If the access-controlled web site does not display this banner page before entry, this is a finding.

Fix: F-29197r1_fix

Configure a DoD private web-site to display the required DoD banner page when authentication is required for user access.

b

A private web-sites authentication mechanism must use client certificates.

Medium - V-6531 - SV-32380r1_rule

RMF Control

Severity

M

CCI

Version

WG140 IIS7

Vuln IDs

V-6531

Rule IDs

SV-32380r1_rule

A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web-sites.Web AdministratorIATS-1, IATS-2

Checks: C-32933r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL icon. 4. Ensure Clients Certificate Required is checked. If not, this is a finding. NOTE: If the site has operational reasons to set Clients Certificate Required to unchecked, this vulnerability can be documented locally by the IAM/IAO.

Fix: F-28970r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL icon. 4. Click Clients Certificate Required button.

a

All web-sites must be assigned a default Host header.

Low - V-6724 - SV-32644r1_rule

RMF Control

Severity

L

CCI

Version

WG520 IIS7

Vuln IDs

V-6724

Rule IDs

SV-32644r1_rule

In order to reduce the possibility of DNS rebinding attacks and IP-based scans, all web-sites allowing HTTP/HTTPS over ports 80/443 will be assigned default Host headers.System AdministratorWeb AdministratorECSC-1

Checks: C-32868r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Bindings in the Action Pane. 4. Ensure there are FQDN entries and IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. If not, this is a finding.

Fix: F-29019r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Bindings in the Action Pane. 4. Click Edit to add FQDNs, IP addresses, and ports.

b

Directory Browsing must be disabled.

Medium - V-6755 - SV-32466r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI090 IIS7

Vuln IDs

V-6755

Rule IDs

SV-32466r1_rule

The Directory Browsing feature can be used to facilitate a directory traversal exploit. Directory browsing must be disabled.Web AdministratorECSC-1

Checks: C-32785r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Directory browsing icon. 4. In the Alerts Pane ensure Directory Browsing is disabled. If not, this is a finding.

Fix: F-28974r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Directory browsing icon. 4. Click Disable in the Actions Pane to disable Directory Browsing.

b

A private web-site must utilize certificates from a trusted DoD CA.

Medium - V-13620 - SV-32473r1_rule

RMF Control

Severity

M

CCI

Version

WG355 IIS7

Vuln IDs

V-13620

Rule IDs

SV-32473r1_rule

The use of a DoD PKI certificate ensures clients the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.System AdministratorInformation Assurance OfficerWeb AdministratorIATS-2, IATS-1

Checks: C-32790r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Bindings in the Action Pane. 4. Click the HTTPS type from the box. 5. Click Edit. 6. Click View, review and verify the certificate path. If the list of CAs in the trust hierarchy does not lead to the DoD PKI Root CA, DoD-approved external certificate authority (ECA), or DoD-approved external partner, this is a finding. If HTTPS is not an available type under site bindings, this is a finding.

Fix: F-29071r1_fix

1. Open the IIS Manager. 2. Click the Server name. 3. Double-Click Server Certificates. 4. Click Import under the Actions Pane. 5. Browse to the DoD certificate location, select it, and click OK. 6. Remove any non-DoD certificates if present. 7. Click on the site needing the certificate. 8. Select Bindings under the Actions Pane. 9. Click on the binding needing a certificate and select edit, or add a site binding for HTTPS and execute step 10. 10. Assign the certificate to the web site by choosing it under the SSL Certificate drop down and clicking OK.

b

Log files must consist of the required data fields.

Medium - V-13688 - SV-32480r1_rule

RMF Control

Severity

M

CCI

Version

WG242 IIS7

Vuln IDs

V-13688

Rule IDs

SV-32480r1_rule

Log files are a critical component to the successful management of an IS used within the DoD. By generating log files with useful information web administrators can leverage them in the event of a disaster, malicious attack, or other site specific needs.System AdministratorWeb AdministratorECAR-1, ECAR-3, ECAR-2

Checks: C-32795r1_chk

Follow the procedures below for each site under review: 1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Under Format select W3C. 5. Click Select Fields, ensure at a minimum the following fields are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer. If not, this is a finding.

Fix: F-29074r1_fix

1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Under Format select W3C. 5. Select the following fields: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer.

b

Access to the web-site log files must be restricted.

Medium - V-13689 - SV-46353r1_rule

RMF Control

Severity

M

CCI

Version

WG255 IIS7

Vuln IDs

V-13689

Rule IDs

SV-46353r1_rule

A major tool in exploring the web-site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.System AdministratorWeb AdministratorECTP-1

Checks: C-32797r2_chk

Follow the procedures below for each site under review: 1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Click Browse. 5. Right-click the log file name to review and click Properties. 6. Click the Security tab; ensure only authorized groups are listed, if others are listed, this is a finding. NOTE: The log file should be restricted as follows: Administrators, SYSTEM, TrustedInstaller, Auditors group: Full

Fix: F-28988r1_fix

1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Click Browse. 5. Right-click the log file name to review and click Properties. 6. Click the Security tab. 7. Set the log file permissions for the appropriate group.

b

Public web servers must use TLS if authentication is required.

Medium - V-13694 - SV-32483r1_rule

RMF Control

Severity

M

CCI

Version

WG342 IIS7

Vuln IDs

V-13694

Rule IDs

SV-32483r1_rule

Encryption is optional for a public web server. However, if authentication and encryption are used, then the use of TLS is required. System AdministratorWeb AdministratorECCT-2, ECCT-1

Checks: C-32799r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click SSL icon. 4. Ensure Require SSL and Require 128-bit SSL are checked. If not, this is a finding.

Fix: F-29075r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click SSL icon. 4. Check the Require SSL and Require 128-bit SSL check box.

a

The Content Location header must not contain proprietary IP addresses.

Low - V-13702 - SV-32514r1_rule

RMF Control

Severity

L

CCI

Version

WA000-WI120 IIS7

Vuln IDs

V-13702

Rule IDs

SV-32514r1_rule

When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.Web AdministratorECSC-1

Checks: C-32823r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Configuration Editor. 4. From the drop-down box select system.webserver serverRuntime. If alternateHostName has no assigned value, this is a finding.

Fix: F-28934r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Configuration Editor. 4. Click the drop-down box located at the top of the Configuration Editor Pane. 5. Scroll until you find system.webserver/serverRuntime, double-click the element, and add the appropriate value.

b

The website must have a unique application pool.

Medium - V-13703 - SV-32515r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6010 IIS7

Vuln IDs

V-13703

Rule IDs

SV-32515r1_rule

Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool. Web AdministratorECSC-1

Checks: C-32824r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section review the application pool name. 5. If any websites share an application pool, this is a finding.

Fix: F-28935r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section click on the application pool name, then click on the application pool selection button. 5. Select the desired application pool in the application pool dialogue box.

b

The application pool must have a recycle time set.

Medium - V-13704 - SV-46344r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6020 IIS7

Vuln IDs

V-13704

Rule IDs

SV-46344r1_rule

Application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks.Web AdministratorECSC-1

Checks: C-32828r6_chk

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the IAO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight the desired application pool and click advanced settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Regular Time Interval is not set to 0. If it is, this is a finding.

Fix: F-28939r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an application pool and click advanced settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Regular Time Interval to a value other than 0.

b

The maximum number of requests an application pool can process must be set.

Medium - V-13705 - SV-46345r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6022 IIS7

Vuln IDs

V-13705

Rule IDs

SV-46345r1_rule

IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.Web AdministratorECSC-1

Checks: C-32854r7_chk

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the IAO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Request Limit is set to a value other than 0. If not, this is a finding.

Fix: F-28989r2_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Request Limit to a value other than 0.

b

The amount of virtual memory an application pool uses must be set.

Medium - V-13706 - SV-46347r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6024 IIS7

Vuln IDs

V-13706

Rule IDs

SV-46347r1_rule

IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.Web AdministratorECSC-1

Checks: C-32855r5_chk

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the IAO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click on Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. In the advanced settings dialog box scroll down to the recycling section and ensure the value for Virtual Memory Limit is not set to 0. If it is, this is a finding.

Fix: F-28990r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. In the advanced settings dialog box scroll down to the recycling section and set the value for Virtual Memory Limit to a value other than 0.

b

The amount of private memory an application pool uses must be set.

Medium - V-13707 - SV-46349r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6026 IIS7

Vuln IDs

V-13707

Rule IDs

SV-46349r1_rule

IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.Web AdministratorECSC-1

Checks: C-32856r4_chk

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the IAO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Private Memory Limit is set to a value other than 0. If not, this is a finding.

Fix: F-28991r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Private Memory Limit to a value other than 0.

b

The Idle Timeout monitor must be enabled.

Medium - V-13708 - SV-32572r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6028 IIS7

Vuln IDs

V-13708

Rule IDs

SV-32572r1_rule

The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received. The purpose of this attribute is to conserve system resources; the default value for idle time-out is 20 minutes. By default, the World Wide Web (WWW) service establishes an overlapped recycle, in which the worker process to be shut down is kept running until after a new worker process is started.Web AdministratorECSC-1

Checks: C-32857r1_chk

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Idle Time out is set to 20. If not, this is a finding. NOTE: If the site has operational reasons to set Idle Time out to an alternate value, and has supporting documentation signed by the IAO, this is not a finding.

Fix: F-28992r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Idle Time-out to 20.

b

The maximum queue length for HTTP.sys must be managed.

Medium - V-13709 - SV-32573r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6030 IIS7

Vuln IDs

V-13709

Rule IDs

SV-32573r1_rule

In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the application pool.Web AdministratorECSC-1

Checks: C-32858r1_chk

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and ensure the value for Queue Length is set to 1000. If not, this is a finding. NOTE: If the site has operational reasons to set Queue Length to an alternate value, and has supporting documentation signed by the IAO, this is not a finding.

Fix: F-28993r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and set the value for Queue Length to 1000.

b

An application pool’s pinging monitor must be enabled.

Medium - V-13710 - SV-32574r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6032 IIS7

Vuln IDs

V-13710

Rule IDs

SV-32574r1_rule

Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled to confirm worker processes are functional. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions; for example, instability caused by an application.Web AdministratorECSC-1

Checks: C-32859r1_chk

1. Open the Internet Information Services (IIS) Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Ping Enabled is set to True. If not, this is a finding.

Fix: F-28994r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Ping Enabled to True.

b

An application pool’s rapid fail protection must be enabled.

Medium - V-13711 - SV-32603r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6034 IIS7

Vuln IDs

V-13711

Rule IDs

SV-32603r1_rule

Rapid fail protection is a feature that interrogates the health of worker processes associated with web sites and web applications. It can be configured to perform a number of actions such as shutting down and restarting worker processes that have reached failure thresholds. By not setting rapid fail protection the web server could become unstable in the event of a worker process crash potentially leaving the web server unusable.Web AdministratorECSC-1

Checks: C-32864r1_chk

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Enabled is set to True. If not, this is a finding.

Fix: F-29008r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Enabled to True.

b

An application pool’s rapid fail protection settings must be managed.

Medium - V-13712 - SV-32605r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6036 IIS7

Vuln IDs

V-13712

Rule IDs

SV-32605r1_rule

Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid fail protection must be set to a suitable value. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or that it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions.Web AdministratorECSC-1

Checks: C-32865r1_chk

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Failure Interval is set to 5. If not, this is a finding. NOTE: If the site has operational reasons to set Failure Interval to an alternate value, and has supporting documentation signed by the IAO, this is not a finding.

Fix: F-29009r1_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Failure Interval to 5.

c

The application pool identity must be defined for each web-site.

High - V-13713 - SV-46365r1_rule

RMF Control

Severity

H

CCI

Version

WA000-WI6040 IIS7

Vuln IDs

V-13713

Rule IDs

SV-46365r1_rule

The Worker Process Identity is the user defined to run an application pool. The IIS 7 worker processes, by default runs under the NetworkService account. Creating a custom identity for each application pool will better track issues occurring within each web-site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.Web AdministratorECSC-1

Checks: C-32866r3_chk

This check is only applicable when IIS is running on Windows Server 2008 SP2 or Windows Server 2008 R2. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Identity is set to ApplicationPoolIdentity, Network Service or a custom identity. If not, this is a finding.

Fix: F-29010r2_fix

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Identity to ApplicationPoolIdentity, Network Service or a custom identity with rights and privileges equal to or less than the built-in security principle.

a

Web sites must utilize ports, protocols, and services according to PPSM guidelines.

Low - V-15334 - SV-33822r1_rule

RMF Control

Severity

L

CCI

Version

WG610 IIS7

Vuln IDs

V-15334

Rule IDs

SV-33822r1_rule

Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. The IAM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List. Information Assurance OfficerDCPP-1

Checks: C-33501r1_chk

Review the web site to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. 1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane, click Bindings. 4. Review the ports and protocols. If unknown ports or protocols are used, then this is a finding.

Fix: F-29201r1_fix

Ensure the web site enforces the use of HTTP and HTTPS in accordance with PPSM guidance. 1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane, click Bindings. 4. Edit to change an existing binding and set the correct ports and protocol.

a

Debug must be turned off on a production website.

Low - V-26011 - SV-32662r1_rule

RMF Control

Severity

L

CCI

Version

WA000-WI6140 IIS7

Vuln IDs

V-26011

Rule IDs

SV-32662r1_rule

Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being display to users.Web AdministratorECSC-1

Checks: C-32876r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation. 4. Scroll down to the Behavior section and ensure the value for Debug is set to False. If not, this is a finding. NOTE: If the .NET feature is not installed, this check is not applicable.

Fix: F-29027r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation 4. Scroll down to the Behavior section and set the value for Debug to False.

b

The production web-site must utilize SHA1 encryption for Machine Key.

Medium - V-26026 - SV-33314r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6180 IIS7

Vuln IDs

V-26026

Rule IDs

SV-33314r1_rule

The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, forms authentication, membership and roles, and anonymous identification. Ensuring a strong encryption method can mitigate the risk of data tampering in crucial functional areas such as forms authentication cookies or view state.Web AdministratorDCNR-1

Checks: C-32882r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Machine Key in the web site Home Pane. 4. Ensure SHA1 is selected for the Encrypted method. If not, this is a finding.

Fix: F-29031r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Machine Key in the web site Home Pane. 4. Set the Encrypted method to SHA1.

a

The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients.

Low - V-26031 - SV-32682r1_rule

RMF Control

Severity

L

CCI

Version

WA000-WI6165

Vuln IDs

V-26031

Rule IDs

SV-32682r1_rule

HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.Web AdministratorECSC-1

Checks: C-32885r1_chk

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane. If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.

Fix: F-29033r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane; set each error message to “Detailed errors for local requests and custom error pages for remote requests”.

b

The production web-site must configure the Global .NET Trust Level.

Medium - V-26034 - SV-46354r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6200

Vuln IDs

V-26034

Rule IDs

SV-46354r1_rule

An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system.Web AdministratorECSC-1

Checks: C-32886r6_chk

Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. Set the trust level for compatibility with these applications. 1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the .NET Trust Level icon. 4. If the .NET Trust level is not set to Medium or less, this is a finding.

Fix: F-29034r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the .NET Trust Level icon. 4. Set the .NET Trust level to Medium or less and click apply.

b

The web-site must limit the number of bytes accepted in a request.

Medium - V-26041 - SV-32692r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6210

Vuln IDs

V-26041

Rule IDs

SV-32692r1_rule

By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of bytes the server will accept in a request.Web AdministratorECSC-1

Checks: C-32889r1_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxAllowedContentLength value is not set to 30000000, this is a finding. NOTE: If the site has operational reasons to set maxAllowedContentLength to an alternate value, and has supporting documentation signed by the IAO, this is not a finding.

Fix: F-29035r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxAllowedContentLength value to 30000000.

b

The production web-site must limit the MaxURL.

Medium - V-26042 - SV-32693r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6220

Vuln IDs

V-26042

Rule IDs

SV-32693r1_rule

Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The MaxURL Request Filter limits the number of bytes the server will accept in a URL.Web AdministratorECSC-1

Checks: C-32890r1_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxURL value is not set to 4096, this is a finding. NOTE: If the site has operational reasons to set maxURL to an alternate value, and has supporting documentation signed by the IAO, this is not a finding.

Fix: F-29036r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxURL value to 4096.

b

The production web-site must configure the Maximum Query String limit.

Medium - V-26043 - SV-32694r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6230

Vuln IDs

V-26043

Rule IDs

SV-32694r1_rule

By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter describes the upper limit on allowable query string lengths. Upon exceeding the configured value, IIS will generate a Status Code 404.15.Web AdministratorECSC-1

Checks: C-32891r1_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the Maximum Query String value is not set to 2048, this is a finding. NOTE: If the site has operational reasons to set Maximum Query String to an alternate value, and has supporting documentation signed by the IAO, this is not a finding.

Fix: F-29037r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the Maximum Query String value to 2048.

b

The web-site must not allow non-ASCII characters in URLs.

Medium - V-26044 - SV-32695r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6240

Vuln IDs

V-26044

Rule IDs

SV-32695r2_rule

By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.Web AdministratorECSC-1

Checks: C-32892r2_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow high-bit characters checkbox is checked, this is a finding. NOTE: If the site has operational reasons to set allow high-bit characters to checked, this vulnerability can be documented locally by the IAM/IAO.

Fix: F-29038r2_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow high-bit characters checkbox.

b

The web-site must not allow double encoded URL requests.

Medium - V-26045 - SV-32696r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6250

Vuln IDs

V-26045

Rule IDs

SV-32696r1_rule

Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. When the allow double escaping option is disabled it prevents attacks that rely on double-encoded requests.Web AdministratorECSC-1

Checks: C-32893r1_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow double escaping checkbox is checked, this is a finding.

Fix: F-29039r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow double escaping checkbox.

b

The production web-site must filter unlisted file extensions in URL requests.

Medium - V-26046 - SV-32697r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6260

Vuln IDs

V-26046

Rule IDs

SV-32697r1_rule

Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The allow unlisted property of the File Extensions Request Filter enables rejection of requests containing specific file extensions not defined in the File Extensions filter. Tripping this filter will cause IIS to generate a Status Code 404.7.Web AdministratorECSC-1

Checks: C-32894r1_chk

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If allow unlisted file extensions checkbox is checked, this is a finding.

Fix: F-29040r1_fix

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow unlisted file extensions checkbox.

Checks: C-32831r1_chk

Fix: F-29056r1_fix

Generate Mitigation Statement:

Checks: C-32733r1_chk

Fix: F-29057r1_fix

Generate Mitigation Statement:

Checks: C-32732r1_chk

Fix: F-29058r1_fix

Generate Mitigation Statement:

Checks: C-30361r1_chk

Fix: F-29059r1_fix

Generate Mitigation Statement:

Checks: C-32730r3_chk

Fix: F-29195r4_fix

Generate Mitigation Statement:

Checks: C-32731r1_chk

Fix: F-29061r1_fix

Generate Mitigation Statement:

Checks: C-32735r1_chk

Fix: F-29062r1_fix

Generate Mitigation Statement:

Checks: C-33496r1_chk

Fix: F-29196r1_fix

Generate Mitigation Statement:

Checks: C-29362r1_chk

Fix: F-27466r1_fix

Generate Mitigation Statement:

Checks: C-32737r1_chk

Fix: F-29064r1_fix

Generate Mitigation Statement:

Checks: C-32739r4_chk

Fix: F-29066r5_fix

Generate Mitigation Statement:

Checks: C-32740r3_chk

Fix: F-29067r3_fix

Generate Mitigation Statement:

Checks: C-33498r1_chk

Fix: F-29200r1_fix

Generate Mitigation Statement:

Checks: C-32741r1_chk

Fix: F-28820r1_fix

Generate Mitigation Statement:

Checks: C-32768r1_chk

Fix: F-29069r1_fix

Generate Mitigation Statement:

Checks: C-32769r1_chk

Fix: F-29020r1_fix

Generate Mitigation Statement:

Checks: C-33497r1_chk

Fix: F-29197r1_fix

Generate Mitigation Statement:

Checks: C-32933r1_chk

Fix: F-28970r1_fix

Generate Mitigation Statement:

Checks: C-32868r1_chk

Fix: F-29019r1_fix

Generate Mitigation Statement:

Checks: C-32785r1_chk

Fix: F-28974r1_fix

Generate Mitigation Statement:

Checks: C-32790r1_chk

Fix: F-29071r1_fix

Generate Mitigation Statement:

Checks: C-32795r1_chk

Fix: F-29074r1_fix

Generate Mitigation Statement:

Checks: C-32797r2_chk

Fix: F-28988r1_fix

Generate Mitigation Statement:

Checks: C-32799r1_chk

Fix: F-29075r1_fix

Generate Mitigation Statement:

Checks: C-32823r1_chk

Fix: F-28934r1_fix

Generate Mitigation Statement:

Checks: C-32824r1_chk

Fix: F-28935r1_fix

Generate Mitigation Statement:

Checks: C-32828r6_chk

Fix: F-28939r1_fix