Microsoft IIS 10.0 Server Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000211-WSR-000030
Group -
IIS 10.0 Web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. Thi...Rule High Severity -
SRG-APP-000211-WSR-000129
Group -
Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 web server, patches, loaded modules, and directory paths.
HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote reques...Rule Medium Severity -
SRG-APP-000315-WSR-000004
Group -
SRG-APP-000223-WSR-000011
Group -
The IIS 10.0 web server must use cookies to track session state.
Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connec...Rule Medium Severity -
SRG-APP-000223-WSR-000145
Group -
The IIS 10.0 web server must accept only system-generated session identifiers.
ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session stat...Rule Medium Severity -
SRG-APP-000225-WSR-000074
Group -
The IIS 10.0 web server must augment re-creation to a stable and known baseline.
Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the ...Rule Medium Severity -
SRG-APP-000231-WSR-000144
Group -
The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key.
The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption set...Rule Medium Severity -
SRG-APP-000251-WSR-000157
Group -
The IIS 10.0 web server must restrict inbound connections from non-secure zones.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
SRG-APP-000316-WSR-000170
Group -
SRG-APP-000340-WSR-000029
Group -
IIS 10.0 web server system files must conform to minimum file permission requirements.
This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server,...Rule Medium Severity -
SRG-APP-000357-WSR-000150
Group -
The IIS 10.0 web server must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 web server.
To ensure the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism must be able to allocate log record storage capacity. The t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.