Microsoft IIS 10.0 Server Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000380-WSR-000072
Group -
SRG-APP-000383-WSR-000175
Group -
The IIS 10.0 web server must not be running on a system providing any other role.
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. Th...Rule Medium Severity -
SRG-APP-000383-WSR-000175
Group -
The Internet Printing Protocol (IPP) must be disabled on the IIS 10.0 web server.
The use of IPP on an IIS web server allows client access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, sin...Rule Medium Severity -
SRG-APP-000435-WSR-000148
Group -
The IIS 10.0 web server must be tuned to handle the operational requirements of the hosted application.
A Denial of Service (DoS) can occur when the web server is overwhelmed and can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condi...Rule Medium Severity -
SRG-APP-000439-WSR-000152
Group -
IIS 10.0 web server session IDs must be sent to the client using TLS.
The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data used to identify a session and a user. If the session ident...Rule Medium Severity -
SRG-APP-000439-WSR-000156
Group -
SRG-APP-000439-WSR-000156
Group -
The IIS 10.0 web server must maintain the confidentiality of controlled information during transmission through the use of an approved Transport Layer Security (TLS) version.
TLS is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2-app...Rule Medium Severity -
SRG-APP-000516-WSR-000079
Group -
SRG-APP-000516-WSR-000174
Group -
Unspecified file extensions on a production IIS 10.0 web server must be removed.
By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI e...Rule Medium Severity -
SRG-APP-000516-WSR-000174
Group -
The IIS 10.0 web server must have a global authorization rule configured to restrict access.
Authorization rules can be configured at the server, website, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access to t...Rule Medium Severity -
SRG-APP-000001-WSR-000001
Group -
SRG-APP-000516-WSR-000174
Group -
The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, a...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.