Details

A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e., HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.

Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155, SRG-APP-000439-WSR-000153

Solution

Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Access the IIS 10.0 Manager.
Under ‘Management’ section, double-click the ‘Configuration Editor’ icon.
From the ‘Section:’ drop-down list, select ‘system.web/httpCookies’.
Set the ‘require SSL’ to ‘True’.

From the ‘Section:’ drop-down list, select ‘system.web/sessionState’.
Set the ‘compressionEnabled’ to ‘False’.

Select ‘Apply’ from the ‘Actions’ pane.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

• 800-53|SC-8
• CAT|II
• CCI|CCI-002418
• Rule-ID|SV-218770r558649_rule
• STIG-ID|IIST-SI-000246
• STIG-Legacy|SV-109365
• STIG-Legacy|V-100261
• Vuln-ID|V-218770

Source

• Tenable.com/audits