Microsoft IIS 10.0 Site Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000224-WSR-000136
Group -
SRG-APP-000233-WSR-000146
Group -
The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.
The content database is accessed by multiple anonymous users when the web server is in production. By locating the content database on the same partition as the web server system file, the risk for...Rule Medium Severity -
SRG-APP-000246-WSR-000149
Group -
The IIS 10.0 website must be configured to limit the maxURL.
Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it helps ...Rule Medium Severity -
SRG-APP-000246-WSR-000149
Group -
The IIS 10.0 website must be configured to limit the size of web requests.
By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of by...Rule Medium Severity -
SRG-APP-000246-WSR-000149
Group -
The IIS 10.0 websites Maximum Query String limit must be configured.
Setting limits on web requests helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter describes th...Rule Medium Severity -
SRG-APP-000246-WSR-000149
Group -
SRG-APP-000246-WSR-000149
Group -
Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website.
Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. Setting limits on web requests helps to ensure availability of web services and m...Rule Medium Severity -
SRG-APP-000251-WSR-000157
Group -
Directory Browsing on the IIS 10.0 website must be disabled.
Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing...Rule Medium Severity -
SRG-APP-000266-WSR-000159
Group -
Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.
HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote reques...Rule Medium Severity -
SRG-APP-000266-WSR-000160
Group -
Debugging and trace information used to diagnose the IIS 10.0 website must be disabled.
Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being displayed to...Rule Medium Severity -
SRG-APP-000295-WSR-000012
Group -
The Idle Time-out monitor for each IIS 10.0 website must be enabled.
The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are rec...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.