Home
Security Hardening
DISA IIS 10.0 Site V2R1

DISA IIS 10.0 Site V2R1

IIST-SI-000236 – The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.
Details Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to...
IIST-SI-000237 – The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.
Details During an attack on the web server or any of the hosted applications, the system administrator may need to...
IIST-SI-000238 – The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.
Details To make certain the logging mechanism used by the web server has sufficient storage capacity in which to write...
IIST-SI-000221 – Anonymous IIS 10.0 website access accounts must be restricted – Local System Groups
Details Many of the security problems that occur are not the result of a user gaining access to files or...
IIST-SI-000239 – The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.
Details Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed...
IIST-SI-000223 – The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.
Details Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless...
IIST-SI-000241 – The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
Details The use of a DoD PKI certificate ensures clients the private website they are connecting to is legitimate, and...
IIST-SI-000224 – The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.
Details The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By...
IIST-SI-000242 – The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.
Details When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants,...
IIST-SI-000225 – The IIS 10.0 website must be configured to limit the maxURL.
Details Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow...

Prev Next

DISA IIS 10.0 Site V2R1

IIST-SI-000236 – The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.

IIST-SI-000237 – The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.

IIST-SI-000238 – The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.

IIST-SI-000221 – Anonymous IIS 10.0 website access accounts must be restricted – Local System Groups

IIST-SI-000239 – The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.

IIST-SI-000223 – The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.

IIST-SI-000241 – The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

IIST-SI-000224 – The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.

IIST-SI-000242 – The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.

IIST-SI-000225 – The IIS 10.0 website must be configured to limit the maxURL.