Skip to content
Log In

I - Mission Critical Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000316-WSR-000170

    Group
    Show

  • The IIS 10.0 web server must provide the capability to immediately disconnect or disable remote access to the hosted applications.

    During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. The web server must provide a c...
    Rule Medium Severity
    Show

  • SRG-APP-000340-WSR-000029

    Group
    Show

  • IIS 10.0 web server system files must conform to minimum file permission requirements.

    This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server,...
    Rule Medium Severity
    Show

  • SRG-APP-000357-WSR-000150

    Group
    Show

  • The IIS 10.0 web server must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 web server.

    To ensure the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism must be able to allocate log record storage capacity. The t...
    Rule Medium Severity
    Show

  • SRG-APP-000380-WSR-000072

    Group
    Show

  • Access to web administration tools must be restricted to the web manager and the web managers designees.

    A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the pote...
    Rule Medium Severity
    Show

  • SRG-APP-000383-WSR-000175

    Group
    Show

  • The IIS 10.0 web server must not be running on a system providing any other role.

    Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. Th...
    Rule Medium Severity
    Show

  • SRG-APP-000383-WSR-000175

    Group
    Show

  • The Internet Printing Protocol (IPP) must be disabled on the IIS 10.0 web server.

    The use of IPP on an IIS web server allows client access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, sin...
    Rule Medium Severity
    Show

  • SRG-APP-000435-WSR-000148

    Group
    Show

  • The IIS 10.0 web server must be tuned to handle the operational requirements of the hosted application.

    A Denial of Service (DoS) can occur when the web server is overwhelmed and can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condi...
    Rule Medium Severity
    Show

  • SRG-APP-000439-WSR-000152

    Group
    Show

  • IIS 10.0 web server session IDs must be sent to the client using TLS.

    The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data used to identify a session and a user. If the session ident...
    Rule Medium Severity
    Show

  • SRG-APP-000439-WSR-000156

    Group
    Show

  • An IIS 10.0 web server must maintain the confidentiality of controlled information during transmission through the use of an approved Transport Layer Security (TLS) version.

    TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it ...
    Rule High Severity
    Show

  • SRG-APP-000439-WSR-000156

    Group
    Show

  • The IIS 10.0 web server must maintain the confidentiality of controlled information during transmission through the use of an approved Transport Layer Security (TLS) version.

    TLS is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2-app...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000079

    Group
    Show

  • All accounts installed with the IIS 10.0 web server software and tools must have passwords assigned and default passwords changed.

    During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, whic...
    Rule High Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • Unspecified file extensions on a production IIS 10.0 web server must be removed.

    By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI e...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The IIS 10.0 web server must have a global authorization rule configured to restrict access.

    Authorization rules can be configured at the server, website, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access to t...
    Rule Medium Severity
    Show

  • SRG-APP-000001-WSR-000001

    Group
    Show

  • The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests.

    Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a Denial of Service (DoS) attack. Mitigating this kind of attack will include li...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).

    HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, a...
    Rule Low Severity
    Show

  • SRG-APP-000141-WSR-000075

    Group
    Show

  • An IIS Server configured to be a SMTP relay must require authentication.

    Anonymous SMTP relays are strictly prohibited. An anonymous SMTP relay can be a vector for many types of malicious activity not limited to server exploitation for the sending of SPAM mail, access t...
    Rule Medium Severity
    Show

  • SRG-APP-000266-WSR-000159

    Group
    Show

  • HTTPAPI Server version must be removed from the HTTP Response Header information.

    HTTP Response Headers contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of certain HTTP Response Header information to remote...
    Rule Low Severity
    Show

  • SRG-APP-000266-WSR-000159

    Group
    Show

  • ASP.NET version must be removed from the HTTP Response Header information.

    HTTP Response Headers contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of certain HTTP Response Header information to remote...
    Rule Low Severity
    Show

  • SRG-APP-000141-WSR-000015

    Group
    Show

  • The Request Smuggling filter must be enabled.

    Security scans show Request Smuggling vulnerability on IIS server. The vulnerability allows a remote attacker to perform HTTP request smuggling attack. The vulnerability exists due to the way tha...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules