Microsoft IIS 10.0 Server Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The IIS 10.0 web server must augment re-creation to a stable and known baseline.
Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the ...Rule Medium Severity -
SRG-APP-000231-WSR-000144
Group -
The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key.
The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption set...Rule Medium Severity -
SRG-APP-000251-WSR-000157
Group -
The IIS 10.0 web server must restrict inbound connections from non-secure zones.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
SRG-APP-000316-WSR-000170
Group -
SRG-APP-000340-WSR-000029
Group -
IIS 10.0 web server system files must conform to minimum file permission requirements.
This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server,...Rule Medium Severity -
SRG-APP-000357-WSR-000150
Group -
The IIS 10.0 web server must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 web server.
To ensure the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism must be able to allocate log record storage capacity. The t...Rule Medium Severity -
SRG-APP-000380-WSR-000072
Group -
SRG-APP-000383-WSR-000175
Group -
The IIS 10.0 web server must not be running on a system providing any other role.
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. Th...Rule Medium Severity -
SRG-APP-000383-WSR-000175
Group -
The Internet Printing Protocol (IPP) must be disabled on the IIS 10.0 web server.
The use of IPP on an IIS web server allows client access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, sin...Rule Medium Severity -
SRG-APP-000435-WSR-000148
Group -
The IIS 10.0 web server must be tuned to handle the operational requirements of the hosted application.
A Denial of Service (DoS) can occur when the web server is overwhelmed and can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condi...Rule Medium Severity -
SRG-APP-000439-WSR-000152
Group -
IIS 10.0 web server session IDs must be sent to the client using TLS.
The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data used to identify a session and a user. If the session ident...Rule Medium Severity -
SRG-APP-000439-WSR-000156
Group -
SRG-APP-000439-WSR-000156
Group -
The IIS 10.0 web server must maintain the confidentiality of controlled information during transmission through the use of an approved Transport Layer Security (TLS) version.
TLS is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2-app...Rule Medium Severity -
SRG-APP-000516-WSR-000079
Group -
SRG-APP-000516-WSR-000174
Group -
Unspecified file extensions on a production IIS 10.0 web server must be removed.
By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI e...Rule Medium Severity -
SRG-APP-000516-WSR-000174
Group -
The IIS 10.0 web server must have a global authorization rule configured to restrict access.
Authorization rules can be configured at the server, website, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access to t...Rule Medium Severity -
SRG-APP-000001-WSR-000001
Group -
SRG-APP-000516-WSR-000174
Group -
The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, a...Rule Low Severity -
SRG-APP-000141-WSR-000075
Group -
An IIS Server configured to be a SMTP relay must require authentication.
Anonymous SMTP relays are strictly prohibited. An anonymous SMTP relay can be a vector for many types of malicious activity not limited to server exploitation for the sending of SPAM mail, access t...Rule Medium Severity -
SRG-APP-000266-WSR-000159
Group -
HTTPAPI Server version must be removed from the HTTP Response Header information.
HTTP Response Headers contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of certain HTTP Response Header information to remote...Rule Low Severity -
SRG-APP-000266-WSR-000159
Group -
ASP.NET version must be removed from the HTTP Response Header information.
HTTP Response Headers contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of certain HTTP Response Header information to remote...Rule Low Severity -
SRG-APP-000141-WSR-000015
Group -
The Request Smuggling filter must be enabled.
Security scans show Request Smuggling vulnerability on IIS server. The vulnerability allows a remote attacker to perform HTTP request smuggling attack. The vulnerability exists due to the way tha...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.