Details
A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e., HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.
Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155, SRG-APP-000439-WSR-000153
Solution
Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable.
Follow the procedures below for each site hosted on the IIS 10.0 web server:
Access the IIS 10.0 Manager.
Under ‘Management’ section, double-click the ‘Configuration Editor’ icon.
From the ‘Section:’ drop-down list, select ‘system.web/httpCookies’.
Set the ‘require SSL’ to ‘True’.
From the ‘Section:’ drop-down list, select ‘system.web/sessionState’.
Set the ‘compressionEnabled’ to ‘False’.
Select ‘Apply’ from the ‘Actions’ pane.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.
References
- 800-53|SC-8
- CAT|II
- CCI|CCI-002418
- Rule-ID|SV-218770r558649_rule
- STIG-ID|IIST-SI-000246
- STIG-Legacy|SV-109365
- STIG-Legacy|V-100261
- Vuln-ID|V-218770