Home
Security Hardening
DISA IIS 10.0 Server V2R1

DISA IIS 10.0 Server V2R1

IIST-SV-000129 – The IIS 10.0 web server must perform RFC 5280-compliant certification path validation.
Details This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is...
IIST-SV-000111 – The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event – User Name
Details Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of...
IIST-SV-000130 – Java software installed on a production IIS 10.0 web server must be limited to .class files and the Java Virtual Machine.
Details Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid,...
IIST-SV-000115 – The log information from the IIS 10.0 web server must be protected from unauthorized modification or deletion.
Details A major tool in exploring the website use, attempted use, unusual conditions, and problems are the access and error...
IIST-SV-000131 – IIS 10.0 Web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
Details As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers,...
IIST-SV-000116 – The log data and records from the IIS 10.0 web server must be backed up onto a different system or media.
Details Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up log records to...
IIST-SV-000117 – The IIS 10.0 web server must not perform user management for hosted applications.
Details User management and authentication can be an essential part of any application hosted by the web server. Along with...
IIST-SV-000118 – The IIS 10.0 web server must only contain functions necessary for operation.
Details A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too...
IIST-SV-000119 – The IIS 10.0 web server must not be both a website server and a proxy server.
Details A web server should be primarily a web server or a proxy server but not both, for the same...
IIST-SV-000120 – All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server.
Details Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A...

Prev Next

DISA IIS 10.0 Server V2R1

IIST-SV-000129 – The IIS 10.0 web server must perform RFC 5280-compliant certification path validation.

IIST-SV-000111 – The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event – User Name

IIST-SV-000130 – Java software installed on a production IIS 10.0 web server must be limited to .class files and the Java Virtual Machine.

IIST-SV-000115 – The log information from the IIS 10.0 web server must be protected from unauthorized modification or deletion.

IIST-SV-000131 – IIS 10.0 Web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.

IIST-SV-000116 – The log data and records from the IIS 10.0 web server must be backed up onto a different system or media.

IIST-SV-000117 – The IIS 10.0 web server must not perform user management for hosted applications.

IIST-SV-000118 – The IIS 10.0 web server must only contain functions necessary for operation.

IIST-SV-000119 – The IIS 10.0 web server must not be both a website server and a proxy server.

IIST-SV-000120 – All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server.