Skip to content
Log In

Microsoft IIS 10.0 Site Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.

    When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is stored in either a co...
    Rule Medium Severity
    Show

  • SRG-APP-000014-WSR-000006

    Group
    Show

  • A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.

    Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private inform...
    Rule Medium Severity
    Show

  • SRG-APP-000014-WSR-000006

    Group
    Show

  • SRG-APP-000092-WSR-000055

    Group
    Show

  • Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.

    Internet Information Services (IIS) on Windows Server 2012 provides basic logging capabilities. However, because IIS takes some time to flush logs to disk, administrators do not have access to logg...
    Rule Medium Severity
    Show

  • SRG-APP-000099-WSR-000061

    Group
    Show

  • SRG-APP-000100-WSR-000064

    Group
    Show

  • The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

    Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user account...
    Rule Medium Severity
    Show

  • SRG-APP-000141-WSR-000081

    Group
    Show

  • The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.

    Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the h...
    Rule Medium Severity
    Show

  • SRG-APP-000141-WSR-000082

    Group
    Show

  • SRG-APP-000141-WSR-000083

    Group
    Show

  • The IIS 10.0 website must have resource mappings set to disable the serving of certain file types.

    IIS 10.0 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 10.0, Request Filtering and Handler ...
    Rule Medium Severity
    Show

  • SRG-APP-000141-WSR-000085

    Group
    Show

  • The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.

    A web server can be installed with functionality that by its nature is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow u...
    Rule Medium Severity
    Show

  • SRG-APP-000142-WSR-000089

    Group
    Show

  • SRG-APP-000172-WSR-000104

    Group
    Show

  • A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.

    A DoD private website must use PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the id...
    Rule Medium Severity
    Show

  • SRG-APP-000211-WSR-000031

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules