StigData/Processed/Windows-2012R2-IISSite-1.2.xml
|
<DISASTIG id="IIS_8-5_Site_STIG" version="1.2" created="3/24/2018"> <DocumentRule dscresourcemodule="None"> <Rule id="V-76781" severity="medium" conversionstatus="pass" title="SRG-APP-000014-WSR-000006 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: If the server being reviewed is a private IIS 8.5 web server, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding.</rawString> </Rule> <Rule id="V-76799" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000082" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>For "Handler Mappings", the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Handler Mappings" in IIS 8.5. "Handler Mappings" at the site level take precedence over "Handler Mappings" at the server level. Open the IIS 8.5 Manager. Click the site name under review. Double-click "Handler Mappings". If any script file extensions from the black list are enabled, this is a finding.</rawString> </Rule> <Rule id="V-76801" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000083" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>For "Handler Mappings", the ISSO must document and approve all allowable file extensions the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Handler Mappings" in IIS 8.5. "Handler Mappings" at the site level take precedence over "Handler Mappings" at the server level. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click "Request Filtering". If any file name extensions from the black list have "Allowed" set to "True", this is a finding.</rawString> </Rule> <Rule id="V-76809" severity="medium" conversionstatus="pass" title="SRG-APP-000172-WSR-000104 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. If the "Clients Certificate Required" check box is not selected, this is a finding.</rawString> </Rule> <Rule id="V-76813" severity="medium" conversionstatus="pass" title="SRG-APP-000224-WSR-000136 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Under the "ASP.NET" section, select "Session State". Under "Session State" Mode Settings, verify the "In Process" mode is selected. If the "In Process" mode is selected, this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "mode" reflects "InProc". If the "mode" is not set to "InProc", this is a finding.</rawString> </Rule> <Rule id="V-76831" severity="medium" conversionstatus="pass" title="SRG-APP-000266-WSR-000142" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: This requirement is only for each site's root directory. Follow the procedures below for each site hosted on the IIS 8.5 web server: Click the site name under review. Double-click "Default Document". In the "Actions" pane, verify the "Default Document" feature is enabled. If an "Enable" option is listed under the "Actions" pane, the "Default Document" feature is not enabled and this is a finding. If "Default Document" is "Enabled, review the document types. Click the "Content View" tab, click on each listed "Default Document" and click on "Explore" under the "Actions" pane. Verify there is a document of that type in the directory. If "Default Document" is "Enabled" but no listed document types are present in the "Content View", this is a finding.</rawString> </Rule> <Rule id="V-76843" severity="medium" conversionstatus="pass" title="SRG-APP-000316-WSR-000170" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Interview the System Administrator and Web Manager. Ask for documentation for the IIS 8.5 web server administration. Verify there are documented procedures for shutting down an IIS 8.5 website in the event of an attack. The procedure should, at a minimum, provide the following steps: Determine the respective website for the application at risk of an attack. Access the IIS 8.5 web server IIS 8.5 Manager. Select the respective website. In the "Actions" pane, under "Manage Website", click on "Stop". If necessary, stop all websites. If necessary, stop the IIS 8.5 web server by selecting the web server in the IIS 8.5 Manager. In the "Actions" pane, under "Manage Server", click on "Stop". If there are not documented procedures with, at a minimum, the mentioned steps for stopping a website, this is a finding.</rawString> </Rule> <Rule id="V-76847" severity="medium" conversionstatus="pass" title="SRG-APP-000383-WSR-000175" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Review the website to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. In the “Action†Pane, click “Bindingsâ€. Review the ports and protocols. If unknown ports or protocols are used, then this is a finding.</rawString> </Rule> <Rule id="V-76851" severity="medium" conversionstatus="pass" title="SRG-APP-000429-WSR-000113 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Verify "Require SSL" is checked. Verify "Client Certificates Required" is selected. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/accessâ€. The value for "sslFlags" set must include "ssl128". If the "Require SSL" is not selected, this is a finding. If the "Client Certificates Required" is not selected, this is a finding. If the "sslFlags" is not set to "ssl128", this is a finding.</rawString> </Rule> <Rule id="V-76853" severity="medium" conversionstatus="pass" title="SRG-APP-000439-WSR-000151 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Verify "Require SSL" is checked. Verify "Client Certificates Required" is selected. Click the site under review. Under "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/accessâ€. The value for "sslFlags" should be ssl128. If the "Require SSL" is not selected, this is a finding. If the "Client Certificates Required" is not selected, this is a finding. If the "sslFlags" is not set to "ssl128", this is a finding.</rawString> </Rule> <Rule id="V-76859.a" severity="medium" conversionstatus="pass" title="SRG-APP-000439-WSR-000154 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>From the "Section:" drop-down list, select "system.web/httpCookies". Verify the "require SSL" is set to "True".</rawString> </Rule> <Rule id="V-76859.b" severity="medium" conversionstatus="pass" title="SRG-APP-000439-WSR-000154 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>From the "Section:" drop-down list, select "system.web/sessionState". Verify the "compressionEnabled" is set to "False".</rawString> </Rule> <Rule id="V-76861" severity="medium" conversionstatus="pass" title="SRG-APP-000441-WSR-000181 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Verify "Require SSL" is checked. Verify "Client Certificates Required" is selected. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/accessâ€. The value for "sslFlags" should be ssl128. If the "Require SSL" is not selected, this is a finding. If the "Client Certificates Required" is not selected, this is a finding. If the "sslFlags" is not set to "ssl128", this is a finding.</rawString> </Rule> <Rule id="V-76863" severity="medium" conversionstatus="pass" title="SRG-APP-000442-WSR-000182 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Verify "Require SSL" is checked. Verify "Client Certificates Required" is selected. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/accessâ€. The values for "sslFlags" must include ssl128. If the "Require SSL" is not selected, this is a finding. If the "Client Certificates Required" is not selected, this is a finding. If the "sslFlags" is not set to "ssl128", this is a finding.</rawString> </Rule> <Rule id="V-76867" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO, this check can be downgraded to a Cat III. Open the IIS 8.5 Manager. Perform for each Application Pool. Click the “Application Poolsâ€. Highlight an Application Pool and click "Advanced Settings" in the “Action†Pane. Scroll down to the "Recycling section" and verify the value for "Request Limit" is set to a value other than "0". If the "Request Limit" is set to a value of "0", this is a finding.</rawString> </Rule> <Rule id="V-76869" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, mitigation steps can be set, to include setting the “Fixed number or requestsâ€, “Specific timeâ€, and “Private memory usage†in the recycling conditions lieu of the “Virtual memory†setting. If mitigation is used in lieu of this requirement, with supporting documentation from the ISSO, this check can be downgraded to a Cat III. Open the IIS 8.5 Manager. Perform for each Application Pool. Click on “Application Poolsâ€. Highlight an Application Pool and click "Advanced Settings" in the Action Pane. In the "Advanced Settings" dialog box scroll down to the "Recycling" section and verify the value for "Virtual Memory Limit" is not set to 0. If the value for "Virtual Memory Limit" is set to 0, this is a finding. </rawString> </Rule> <Rule id="V-76871" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. Open the IIS 8.5 Manager. Perform for each Application Pool. Click the “Application Poolsâ€. Highlight an Application Pool and click "Advanced Settings" in the “Action†Pane. Scroll down to the "Recycling" section and verify the value for "Private Memory Limit" is set to a value other than "0". If the "Private Memory Limit" is set to a value of "0", this is a finding.</rawString> </Rule> <Rule id="V-76873" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. Open the IIS 8.5 Manager. Perform for each Application Pool. Click the “Application Poolsâ€. Highlight an Application Pool and click "Advanced Settings" in the “Action†Pane. Scroll down to the "Recycling" section and expand the "Generate Recycle Event Log Entry" section. Verify both the "Regular time interval" and "Specific time" options are set to "True". If both the "Regular time interval" and "Specific time" options are not set to "True", this is a finding.</rawString> </Rule> </DocumentRule> <IisLoggingRule dscresourcemodule="xWebAdministration"> <Rule id="V-76783" severity="medium" conversionstatus="pass" title="SRG-APP-000092-WSR-000055" dscresource="xWebSite"> <IsNullOrEmpty>False</IsNullOrEmpty> <LogCustomFieldEntry /> <LogFlags>Date,Time,ClientIP,UserName,Method,UriQuery,ProtocolVersion,Referer</LogFlags> <LogFormat /> <LogPeriod /> <LogTargetW3C /> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Click the "Logging" icon. Under Format select "W3C". Click “Select Fieldsâ€, verify at a minimum the following fields are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer. If the "W3C" is not selected as the logging format OR any of the required fields are not selected, this is a finding.</rawString> </Rule> <Rule id="V-76785" severity="medium" conversionstatus="pass" title="SRG-APP-000092-WSR-000055" dscresource="xWebSite"> <IsNullOrEmpty>False</IsNullOrEmpty> <LogCustomFieldEntry /> <LogFlags /> <LogFormat /> <LogPeriod /> <LogTargetW3C>File,ETW</LogTargetW3C> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, verify the "Both log file and ETW event" radio button is selected. If the "Both log file and ETW event" radio button is not selected, this is a finding.</rawString> </Rule> <Rule id="V-76789" severity="medium" conversionstatus="pass" title="SRG-APP-000099-WSR-000061" dscresource="xWebSite"> <IsNullOrEmpty>False</IsNullOrEmpty> <LogCustomFieldEntry> <Entry> <SourceType>RequestHeader</SourceType> <SourceName>Connection</SourceName> </Entry> <Entry> <SourceType>RequestHeader</SourceType> <SourceName>Warning</SourceName> </Entry> <Entry> <SourceType>ServerVariable</SourceType> <SourceName>HTTP_CONNECTION</SourceName> </Entry> </LogCustomFieldEntry> <LogFlags /> <LogFormat>W3C</LogFormat> <LogPeriod /> <LogTargetW3C /> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select the "Fields" button. Under "Custom Fields", verify the following fields are selected: Request Header >> Connection Request Header >> Warning Server Variable >> HTTP_CONNECTION If any of the above fields are not selected, this is a finding.</rawString> </Rule> <Rule id="V-76791" severity="medium" conversionstatus="pass" title="SRG-APP-000100-WSR-000064" dscresource="xWebSite"> <IsNullOrEmpty>False</IsNullOrEmpty> <LogCustomFieldEntry> <Entry> <SourceType>ServerVariable</SourceType> <SourceName>HTTP_USER_AGENT</SourceName> </Entry> <Entry> <SourceType>RequestHeader</SourceType> <SourceName>User-Agent</SourceName> </Entry> <Entry> <SourceType>RequestHeader</SourceType> <SourceName>Authorization</SourceName> </Entry> <Entry> <SourceType>ResponseHeader</SourceType> <SourceName>Content-Type</SourceName> </Entry> </LogCustomFieldEntry> <LogFlags>UserAgent,UserName,Referer</LogFlags> <LogFormat>W3C</LogFormat> <LogPeriod /> <LogTargetW3C /> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Access the IIS 8.5 web server IIS 8.5 Manager. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select the "Fields" button. Under "Standard Fields", verify "User Agent", "User Name" and "Referrer" are selected. Under "Custom Fields", verify the following fields have been configured: Server Variable >> HTTP_USER_AGENT Request Header >> User-Agent Request Header >> Authorization Response Header >> Content-Type If any of the above fields are not selected, this is a finding.</rawString> </Rule> <Rule id="V-76845" severity="medium" conversionstatus="pass" title="SRG-APP-000357-WSR-000150" dscresource="xWebSite"> <IsNullOrEmpty>False</IsNullOrEmpty> <LogCustomFieldEntry /> <LogFlags /> <LogFormat /> <LogPeriod>daily</LogPeriod> <LogTargetW3C /> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Access the IIS 8.5 web server IIS 8.5 Manager. Under "IIS" double-click on the "Logging" icon. In the "Logging" configuration box, determine the "Directory:" to which the "W3C" logging is being written. Confirm with the System Administrator that the designated log path is of sufficient size to maintain the logging. Under "Log File Rollover", verify the "Do not create new log files" is not selected. Verify a schedule is configured to rollover log files on a regular basis. Consult with the System Administrator to determine if there is a documented process for moving the log files off of the IIS 8.5 web server to another logging device. If the designated logging path device is not of sufficient space to maintain all log files and there is not a schedule to rollover files on a regular basis, this is a finding.</rawString> </Rule> </IisLoggingRule> <ManualRule dscresourcemodule="None"> <Rule id="V-76773" severity="medium" conversionstatus="pass" title="SRG-APP-000001-WSR-000001" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Access the IIS 8.5 IIS Manager. Click the IIS 8.5 server. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.applicationHost/sites". Expand "siteDefaults". Expand "limits". Review the results and verify the value is greater than zero for the "maxconnections" parameter. If the maxconnections parameter is set to zero, this is a finding.</rawString> </Rule> <Rule id="V-76787" severity="medium" conversionstatus="pass" title="SRG-APP-000098-WSR-000060" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Interview the System Administrator to review the configuration of the IIS 8.5 architecture and determine if inbound web traffic is passed through a proxy. If the IIS 8.5 is receiving inbound web traffic through a proxy, the audit logs must be reviewed to determine if correct source information is being passed through by the proxy server. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Click the "Logging" icon. Click on "View log file" button. When log file is displaced, review source IP information in log entries and verify entries do not reflect the IP address of the proxy server. If the log entries in the log file(s) reflect the IP address of the proxy server as the source, this is a finding.</rawString> </Rule> <Rule id="V-76793" severity="medium" conversionstatus="pass" title="SRG-APP-000119-WSR-000069" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Click the "Logging" icon. Click "Browse" and navigate to the directory where the log files are stored. Right-click the log file name to review and click “Propertiesâ€. Click the “Security†tab; verify only authorized groups are listed, if others are listed, this is a finding. Note: The log file should be restricted as follows: SYSTEM, Auditors group: Full SAs, web managers: Read </rawString> </Rule> <Rule id="V-76795" severity="medium" conversionstatus="pass" title="SRG-APP-000120-WSR-000070" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Click the "Logging" icon. Click "Browse" and navigate to the directory where the log files are stored. Right-click the log file name to review and click “Propertiesâ€. Click the “Security†tab; verify only authorized groups are listed, if others are listed, this is a finding. Note: The log file should be restricted as follows: SYSTEM, Auditors group: Full</rawString> </Rule> <Rule id="V-76803" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000085" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Select the IIS 8.5 website. Review the features listed under the "IIS" section. If the "WebDAV Authoring Rules" icon exists, this is a finding.</rawString> </Rule> <Rule id="V-76807" severity="medium" conversionstatus="pass" title="SRG-APP-000142-WSR-000089" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Right-click on the site name under review. Select “Edit Bindingsâ€. Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. If both hostname entries and unique IP addresses are not configure to port 80 for HTTP and port 443 for HTTPS, this is a finding.</rawString> </Rule> <Rule id="V-76811" severity="high" conversionstatus="pass" title="SRG-APP-000211-WSR-000031" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Check the account used for anonymous access to the website. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click "Authentication" in the IIS section of the website’s Home Pane. If Anonymous access is disabled, this is Not a Finding. If enabled, click “Anonymous Authentication†and then click “Edit†in the "Actions" pane. If the “Specific user†radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Check privileged groups that may allow the anonymous account inappropriate membership. Click “Start†and then double-click “Server Managerâ€. Expand Configuration; expand Local Users and Groups; and then click “Groupsâ€. Review group members. Privileged Groups: Administrators Backup Operators Certificate Services (of any designation) Distributed COM Users Event Log Readers Network Configuration Operators Performance Log Users Performance Monitor Users Power Users Print Operators Remote Desktop Users Replicator Users Double-click each group and review its members. If the IUSR account or any account used for anonymous access is a member of any group with privileged access, this is a finding.</rawString> </Rule> <Rule id="V-76815" severity="medium" conversionstatus="pass" title="SRG-APP-000233-WSR-000146" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Click the "Advanced Settings" from the "Actions" pane. Review the Physical Path. If the Path is on the same partition as the OS, this is a finding.</rawString> </Rule> <Rule id="V-76849" severity="medium" conversionstatus="pass" title="SRG-APP-000427-WSR-000186" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Click “Bindings†in the “Action†Pane. Click the “HTTPS type†from the box. Click “Editâ€. Click “View†and then review and verify the certificate path. If the list of CAs in the trust hierarchy does not lead to the DoD PKI Root CA, DoD-approved external certificate authority (ECA), or DoD-approved external partner, this is a finding. If HTTPS is not an available type under site bindings, this is a finding.</rawString> </Rule> <Rule id="V-76865" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Open the IIS 8.5 Manager. Click "Application Pools". In the list of Application Pools, review the "Applications" column and verify none show more than "1" application. If any Application Pools show being applied to more than 1 application, this is a finding.</rawString> </Rule> <Rule id="V-76883" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click “Configuration Editorâ€. From the drop-down box select “system.webserver serverRuntimeâ€. If “alternateHostName†has no assigned value, this is a finding.</rawString> </Rule> <Rule id="V-76885" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000087" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the website does not utilize CGI or ASP, this finding is Not Applicable. All interactive programs must be placed in unique designated folders based on CGI or ASP script type. Open the IIS 8.5 Manager. Right-click the IIS 8.5 web site name and select Explore. Search for the listed script extensions. Each script type must be in its unique designated folder. If scripts are not segregated from web content and in their own unique folders, then this is a finding.</rawString> </Rule> <Rule id="V-76887" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000087" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the website does not utilize CGI, this finding is Not Applicable. All interactive programs must have restrictive permissions. Open the IIS 8.5 Manager. Right-click the IIS 8.5 web site name and select “Exploreâ€. Search for the listed script extensions. Review the permissions to the CGI scripts and verify only the permissions listed, or more restrictive permissions are assigned. Administrators: FULL TrustedInstaller: FULL ALL APPLICATION PACKAGES: Read SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ If the permissions are less restrictive than listed above, this is a finding.</rawString> </Rule> <Rule id="V-76889" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000087" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the website does not utilize CGI, this finding is Not Applicable. Open the IIS 8.5 Manager. Right-click the IIS 8.5 web site name and select “Exploreâ€. Search for the listed script extensions Search for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or “copy of...â€. If files with these extensions are found, this is a finding.</rawString> </Rule> <Rule id="V-76891" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: This requirement is only applicable for private DoD websites. If a banner is required, the following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.†OR If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: "I've read & consent to terms in IS user agreem't." NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. If the access-controlled website does not display this banner page before entry, this is a finding.</rawString> </Rule> </ManualRule> <MimeTypeRule dscresourcemodule="xWebAdministration"> <Rule id="V-76797.a" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping"> <Ensure>Absent</Ensure> <Extension>.exe</Extension> <IsNullOrEmpty>False</IsNullOrEmpty> <MimeType>application/octet-stream</MimeType> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the IIS 8.5 site. Under IIS, double-click the “MIME Types†icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: If any OS shell MIME types are configured, this is a finding. .exe</rawString> </Rule> <Rule id="V-76797.b" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping"> <Ensure>Absent</Ensure> <Extension>.dll</Extension> <IsNullOrEmpty>False</IsNullOrEmpty> <MimeType>application/x-msdownload</MimeType> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the IIS 8.5 site. Under IIS, double-click the “MIME Types†icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: If any OS shell MIME types are configured, this is a finding. .dll</rawString> </Rule> <Rule id="V-76797.c" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping"> <Ensure>Absent</Ensure> <Extension>.com</Extension> <IsNullOrEmpty>False</IsNullOrEmpty> <MimeType>application/octet-stream</MimeType> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the IIS 8.5 site. Under IIS, double-click the “MIME Types†icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: If any OS shell MIME types are configured, this is a finding. .com</rawString> </Rule> <Rule id="V-76797.d" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping"> <Ensure>Absent</Ensure> <Extension>.bat</Extension> <IsNullOrEmpty>False</IsNullOrEmpty> <MimeType>application/x-bat</MimeType> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the IIS 8.5 site. Under IIS, double-click the “MIME Types†icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: If any OS shell MIME types are configured, this is a finding. .bat</rawString> </Rule> <Rule id="V-76797.e" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping"> <Ensure>Absent</Ensure> <Extension>.csh</Extension> <IsNullOrEmpty>False</IsNullOrEmpty> <MimeType>application/x-csh</MimeType> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the IIS 8.5 site. Under IIS, double-click the “MIME Types†icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: If any OS shell MIME types are configured, this is a finding. .csh</rawString> </Rule> </MimeTypeRule> <WebAppPoolRule dscresourcemodule="xWebAdministration"> <Rule id="V-76839" severity="medium" conversionstatus="pass" title="SRG-APP-000295-WSR-000012" dscresource="xWebAppPool"> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>idleTimeout</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>[TimeSpan]{0} -le [TimeSpan]'00:20:00'</OrganizationValueTestString> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the Application Pools. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "Process Model" section and verify the value for "Idle Time-out" is set to "20". If the "Idle Time-out" is not set to "20" or less, this is a finding.</rawString> <Value> </Value> </Rule> <Rule id="V-76875" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="xWebAppPool"> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>queueLength</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le 1000</OrganizationValueTestString> <rawString>Open the IIS 8.5 Manager. Perform for each Application Pool. Click the “Application Poolsâ€. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "General" section and verify the value for "Queue Length" is set to 1000. If the "Queue Length" is set to "1000" or less, this is not a finding.</rawString> <Value> </Value> </Rule> <Rule id="V-76877" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="xWebAppPool"> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>pingingEnabled</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Open the Internet Information Services (IIS) Manager. Click the “Application Poolsâ€. Perform for each Application Pool. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "Process Model" section and verify the value for "Ping Enabled" is set to "True". If the value for "Ping Enabled" is not set to "True", this is a finding.</rawString> <Value>$true</Value> </Rule> <Rule id="V-76879" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="xWebAppPool"> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>rapidFailProtection</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Open the IIS 8.5 Manager. Click the “Application Poolsâ€. Perform for each Application Pool. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "Rapid Fail Protection" section and verify the value for "Enabled" is set to "True". If the "Rapid Fail Protection:Enabled" is not set to "True", this is a finding.</rawString> <Value>$true</Value> </Rule> <Rule id="V-76881" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="xWebAppPool"> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>rapidFailProtectionInterval</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>[TimeSpan]{0} -le [TimeSpan]'00:05:00'</OrganizationValueTestString> <rawString>Open the IIS 8.5 Manager. Click the “Application Poolsâ€. Perform for each Application Pool. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "Rapid Fail Protection" section and verify the value for "Failure Interval" is set to "5". If the "Failure Interval" is not set to "5" or less, this is a finding.</rawString> <Value> </Value> </Rule> </WebAppPoolRule> <WebConfigurationPropertyRule dscresourcemodule="xWebAdministration"> <Rule id="V-76775" severity="medium" conversionstatus="pass" title="SRG-APP-000001-WSR-000002" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.web/sessionState</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>mode</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Under the "ASP.NET" section, select "Session State". Under "Session State Mode Settings", verify the "In Process" mode is selected. If the "Session State Mode Settings" is set to "In Process", this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "mode" reflects "InProc". If the "mode" is not set to "InProc", this is a finding.</rawString> <Value>InProc</Value> </Rule> <Rule id="V-76777" severity="medium" conversionstatus="pass" title="SRG-APP-000001-WSR-000002" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.web/sessionState</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>cookieless</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. If the "Use Cookies" mode is selected, this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "cookieless" is set to "UseCookies". If the "cookieless" is not set to "UseCookies", this is a finding. </rawString> <Value>UseCookies</Value> </Rule> <Rule id="V-76779" severity="medium" conversionstatus="pass" title="SRG-APP-000014-WSR-000006" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/security/access</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>sslflags</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding.</rawString> <Value>Ssl,SslNegotiateCert,SslRequireCert,Ssl128</Value> </Rule> <Rule id="V-76805" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000086" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.web/trust</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>level</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -cmatch '^(Full|High)$'</OrganizationValueTestString> <rawString>Note: If the server being reviewed is a non-production website, this is Not Applicable. Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. If compatibility issues with applications require trust level to be less than "Medium", this check can be downgraded to a Cat III with supporting documentation from the ISSO, Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click the ".NET Trust Level" icon. If the ".NET Trust Level" is not set to Medium or less, this is a finding.</rawString> <Value> </Value> </Rule> <Rule id="V-76817" severity="medium" conversionstatus="pass" title="SRG-APP-000246-WSR-000149" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/security/requestFiltering/requestlimits</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>maxUrl</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le 4096</OrganizationValueTestString> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the site name. Double-click the "Request Filtering" icon. Click “Edit Feature Settings†in the "Actions" pane. If the "maxUrl" value is not set to "4096" or less, this is a finding.</rawString> <Value> </Value> </Rule> <Rule id="V-76819" severity="medium" conversionstatus="pass" title="SRG-APP-000246-WSR-000149" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/security/requestFiltering/requestlimits</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>maxAllowedContentLength</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le 30000000</OrganizationValueTestString> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the site name. Double-click the "Request Filtering" icon. Click “Edit Feature Settings†in the "Actions" pane. If the "maxAllowedContentLength" value is not set to "30000000" or less, this is a finding.</rawString> <Value> </Value> </Rule> <Rule id="V-76821" severity="medium" conversionstatus="pass" title="SRG-APP-000246-WSR-000149" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/security/requestFiltering/requestlimits</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>maxQueryString</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le 2048</OrganizationValueTestString> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the site name. Double-click the "Request Filtering" icon. Click “Edit Feature Settings†in the "Actions" pane. If the "Maximum Query String" value is not set to "2048" or less, this is a finding.</rawString> <Value> </Value> </Rule> <Rule id="V-76823" severity="medium" conversionstatus="pass" title="SRG-APP-000246-WSR-000149" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/security/requestFiltering</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>allowHighBitCharacters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the site name. Double-click the "Request Filtering" icon. Click “Edit Feature Settings†in the "Actions" pane. If the "Allow high-bit characters" check box is checked, this is a finding.</rawString> <Value>false</Value> </Rule> <Rule id="V-76825" severity="medium" conversionstatus="pass" title="SRG-APP-000246-WSR-000149" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/security/requestFiltering</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>allowDoubleEscaping</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the site name. Double-click the "Request Filtering" icon. Click “Edit Feature Settings†in the "Actions" pane. If the "Allow double escaping" check box is checked, this is a finding.</rawString> <Value>false</Value> </Rule> <Rule id="V-76827" severity="medium" conversionstatus="pass" title="SRG-APP-000246-WSR-000149" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/security/requestFiltering/fileExtensions</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>allowUnlisted</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click on the site name. Double-click the "Request Filtering" icon. Click “Edit Feature Settings†in the "Actions" pane. If "Allow unlisted file extensions" check box is checked, this is a finding.</rawString> <Value>false</Value> </Rule> <Rule id="V-76829" severity="medium" conversionstatus="pass" title="SRG-APP-000251-WSR-000157" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/directoryBrowse</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>enabled</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Click the Site. Double-click the "Directory Browsing" icon. If the "Directory Browsing" is not installed, this is Not Applicable. Under the "Actions" pane verify "Directory Browsing" is "Disabled". If "Directory Browsing" is not "Disabled", this is a finding.</rawString> <Value>false</Value> </Rule> <Rule id="V-76835" severity="medium" conversionstatus="pass" title="SRG-APP-000266-WSR-000159" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/httpErrors</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>errormode</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click the "Error Pages" icon. Click each error message and click "Edit Feature" setting from the "Actions" pane. If any error message is not set to “Detailed errors for local requests and custom error pages for remote requestsâ€, this is a finding.</rawString> <Value>DetailedLocalOnly</Value> </Rule> <Rule id="V-76837" severity="medium" conversionstatus="pass" title="SRG-APP-000266-WSR-000160" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.web/compilation</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>debug</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Note: If the ".NET feature" is not installed, this check is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click ".NET Compilation". Scroll down to the "Behavior" section and verify the value for "Debug" is set to "False". If the "Debug" value is not set to "False", this is a finding.</rawString> <Value>false</Value> </Rule> <Rule id="V-76841" severity="medium" conversionstatus="pass" title="SRG-APP-000295-WSR-000134" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.web/sessionState</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>timeout</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>[TimeSpan]{0} -le [TimeSpan]'00:20:00'</OrganizationValueTestString> <rawString> Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". 76837 Verify the "timeout" is set to "00:20:00 or lessâ€, using the lowest value possible depending upon the application. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. If "timeout" is not set to "00:20:00 or lessâ€, this is a finding. </rawString> <Value> </Value> </Rule> <Rule id="V-76855" severity="medium" conversionstatus="pass" title="SRG-APP-000439-WSR-000152" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.webServer/asp/session</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>keepSessionIdSecure</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>Follow the procedures below for each site hosted on the IIS 8.5 web server: Access the IIS 8.5 Manager. Select the website being reviewed. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select “system.webServer/asp". Expand the "session" section. Verify the "keepSessionIdSecure" is set to "True". If the "keepSessionIdSecure" is not set to "True", this is a finding.</rawString> <Value>True</Value> </Rule> <Rule id="V-76857.a" severity="medium" conversionstatus="pass" title="SRG-APP-000439-WSR-000153" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.web/httpCookies</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>requireSSL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>From the "Section:" drop-down list, select "system.web/httpCookies". Verify the "require SSL" is set to "True".</rawString> <Value>True</Value> </Rule> <Rule id="V-76857.b" severity="medium" conversionstatus="pass" title="SRG-APP-000439-WSR-000153" dscresource="xWebConfigKeyValue"> <ConfigSection>/system.web/sessionState</ConfigSection> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>compressionEnabled</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <rawString>From the "Section:" drop-down list, select "system.web/sessionState". Verify the "compressionEnabled" is set to "False".</rawString> <Value>False</Value> </Rule> </WebConfigurationPropertyRule> </DISASTIG> |