Free DISA STIG and SRG Library | Vaulted

IIS 7.0 Site STIG

Version 1 Release 1817
2019-04-262018-10-26
U_MS_IIS_7-0_Site_STIG_V1R187_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Compare Summary

Compare V1R18 to V1R17
  • All
  • Updated 1
  • Added 0
  • Removed 0

Vulnerabilities (48)

The production web-site must configure the Global .NET Trust Level.

Finding ID
WA000-WI6200
Rule ID
SV-46354r3_rule46354r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6200
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the ".NET Trust Level" icon. 4. Set the .NET Trust level to "Medium" or less and click "Apply"apply.

Check Content

Note: If the server being reviewed is a non-production website, this is Not Applicable. Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. IfSet compatibilitythe issues with applications require trust level tofor becompatibility less than "Medium", this check can be downgraded to a Cat III with supportingthese documentation from the Authorizing Official (AO)applications. 1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the ".NET Trust Level" icon. 4. If the .NET Trust level is not set to "Medium" or less, this is a finding.

Responsibility

Web Administrator

A private web-site must utilize certificates from a trusted DoD CA.

Finding ID
WG355 IIS7
Rule ID
SV-32473r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG355
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The use of a DoD PKI certificate ensures clients the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.

Fix Text

1. Open the IIS Manager. 2. Click the Server name. 3. Double-Click Server Certificates. 4. Click Import under the Actions Pane. 5. Browse to the DoD certificate location, select it, and click OK. 6. Remove any non-DoD certificates if present. 7. Click on the site needing the certificate. 8. Select Bindings under the Actions Pane. 9. Click on the binding needing a certificate and select edit, or add a site binding for HTTPS and execute step 10. 10. Assign the certificate to the web site by choosing it under the SSL Certificate drop down and clicking OK.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Bindings in the Action Pane. 4. Click the HTTPS type from the box. 5. Click Edit. 6. Click View, review and verify the certificate path. If the list of CAs in the trust hierarchy does not lead to the DoD PKI Root CA, DoD-approved external certificate authority (ECA), or DoD-approved external partner, this is a finding. If HTTPS is not an available type under site bindings, this is a finding.

Responsibility

System Administrator

Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory.

Finding ID
WG235
Rule ID
SV-14278r2_rule
Severity
Cat I
CCE
(None)
Group Title
WG235
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.

Fix Text

Use only secure encrypted logons and connections for uploading files to the web site.

Check Content

Query the SA to determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding.

Responsibility

Web Administrator

Log files must consist of the required data fields.

Finding ID
WG242 IIS7
Rule ID
SV-32480r3_rule
Severity
Cat II
CCE
(None)
Group Title
WG242
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Log files are a critical component to the successful management of an IS used within the DoD. By generating log files with useful information web administrators can leverage them in the event of a disaster, malicious attack, or other site specific needs.

Fix Text

1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Under Format select W3C. 5. Select the following fields: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer.

Check Content

Follow the procedures below for each site under review: 1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Under Format select W3C. 5. Click Select Fields, ensure at a minimum the following fields are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer. If logging is not enabled, this is a finding.

Responsibility

System Administrator

Access to the web-site log files must be restricted.

Finding ID
WG255 IIS7
Rule ID
SV-46353r5_rule
Severity
Cat II
CCE
(None)
Group Title
WG255
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A major tool in exploring the web-site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.

Fix Text

1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Beside Directory, Click Browse. 5. Right-click the log file name to review and click Properties. 6. Click the Security tab. 7. Set the log file permissions for the appropriate group.

Check Content

Follow the procedures below for each site under review: 1. Open the IIS Manager. 2. Click the site name. 3. Click the Logging icon. 4. Beside Directory, Click Browse. 5. Right-click the log file name to review and click Properties. 6. Click the Security tab; ensure only authorized groups are listed, if others are listed, this is a finding.

Responsibility

System Administrator

Public web servers must use TLS if authentication is required.

Finding ID
WG342 IIS7
Rule ID
SV-32483r3_rule
Severity
Cat II
CCE
(None)
Group Title
WG342
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click SSL icon. 4. Check the Require SSL and Require 128-bit SSL check box.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click SSL icon. 4. Ensure Require SSL and Require 128-bit SSL are checked. Note: If the Require SSL 128-Bit setting is not visible, the setting can be viewed by clicking the site under review and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. The value for sslFlags should be ssl128. If not, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL\TLS also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value "Enabled", this would also be a finding. The keys for TLS 1.0 do not require the "Enabled" value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS. If the "Enabled" value is present and set to 0, this is a finding. TLS 1.1 and 1.2 are not supported in versions prior to IIS 7.5. If the version of IIS is prior to 7.5, the check for TLS 1.1 and 1.2 is NA. TLS 1.1 and 1.2 are not enabled by default, therefore the following registry keys must exist and contain the the following values to enable TLS 1.1 and 1.2. DisabledByDefault REG_DWORD 0 Enabled REG_DWORD 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server If any of the registry keys for TLS 1.1 or TLS 1.2 are not present or are not set correctly, this is a finding.

Responsibility

System Administrator

The Content Location header must not contain proprietary IP addresses.

Finding ID
WA000-WI120 IIS7
Rule ID
SV-32514r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI120
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Configuration Editor. 4. Click the drop-down box located at the top of the Configuration Editor Pane. 5. Scroll until you find system.webserver/serverRuntime, double-click the element, and add the appropriate value.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Configuration Editor. 4. From the drop-down box select system.webserver serverRuntime. If alternateHostName has no assigned value, this is a finding.

Responsibility

Web Administrator

The website must have a unique application pool.

Finding ID
WA000-WI6010 IIS7
Rule ID
SV-32515r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6010
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section click on the application pool name, then click on the application pool selection button. 5. Select the desired application pool in the application pool dialogue box.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section review the application pool name. 5. If any websites share an application pool, this is a finding.

Responsibility

Web Administrator

The application pool must have a recycle time set.

Finding ID
WA000-WI6020 IIS7
Rule ID
SV-46344r4_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6020
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an application pool and click Recycling... in the Action Pane. 4. Choose a fixed interval type of fixed time and/or specific time. If regular time interval is the only type chosen, then the value entered must be greater than 0. NOTE: Do not click Recycle!

Check Content

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight the desired application pool and click Recycling... in the Action Pane. 4. Review the Fixed Intervals section. If both Regular time intervals and Specific time(s) are unchecked, this is a finding. If only Regular Time Intervals is checked and the value is set to 0, this is a finding. NOTE: Do not click Recycle!

Responsibility

Web Administrator

The maximum number of requests an application pool can process must be set.

Finding ID
WA000-WI6022 IIS7
Rule ID
SV-46345r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6022
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Request Limit to a value other than 0.

Check Content

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Request Limit is set to a value other than 0. If not, this is a finding.

Responsibility

Web Administrator

The amount of virtual memory an application pool uses must be set.

Finding ID
WA000-WI6024 IIS7
Rule ID
SV-46347r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6024
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. In the advanced settings dialog box scroll down to the recycling section and set the value for Virtual Memory Limit to a value other than 0.

Check Content

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click on Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. In the advanced settings dialog box scroll down to the recycling section and ensure the value for Virtual Memory Limit is not set to 0. If it is, this is a finding.

Responsibility

Web Administrator

The amount of private memory an application pool uses must be set.

Finding ID
WA000-WI6026 IIS7
Rule ID
SV-46349r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6026
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and set the value for Private Memory Limit to a value other than 0.

Check Content

Note: Recycling Application Pools can create an unstable environment in a 64-bit Sharepoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool and click Advanced Settings in the Action Pane. 4. Scroll down to the recycling section and ensure the value for Private Memory Limit is set to a value other than 0. If not, this is a finding.

Responsibility

Web Administrator

The Idle Timeout monitor must be enabled.

Finding ID
WA000-WI6028 IIS7
Rule ID
SV-32572r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6028
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received. The purpose of this attribute is to conserve system resources; the default value for idle time-out is 20 minutes. By default, the World Wide Web (WWW) service establishes an overlapped recycle, in which the worker process to be shut down is kept running until after a new worker process is started.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Idle Time-out to 20.

Check Content

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Idle Time out is set to 20. If not, this is a finding. NOTE: If the site has operational reasons to set Idle Time out to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

The maximum queue length for HTTP.sys must be managed.

Finding ID
WA000-WI6030 IIS7
Rule ID
SV-32573r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6030
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the application pool.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and set the value for Queue Length to 1000.

Check Content

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and ensure the value for Queue Length is set to 1000. If not, this is a finding. NOTE: If the site has operational reasons to set Queue Length to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

An application pool’s pinging monitor must be enabled.

Finding ID
WA000-WI6032 IIS7
Rule ID
SV-32574r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6032
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled to confirm worker processes are functional. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions; for example, instability caused by an application.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Ping Enabled to True.

Check Content

1. Open the Internet Information Services (IIS) Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Ping Enabled is set to True. If not, this is a finding.

Responsibility

Web Administrator

An application pool’s rapid fail protection must be enabled.

Finding ID
WA000-WI6034 IIS7
Rule ID
SV-32603r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6034
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Rapid fail protection is a feature that interrogates the health of worker processes associated with web sites and web applications. It can be configured to perform a number of actions such as shutting down and restarting worker processes that have reached failure thresholds. By not setting rapid fail protection the web server could become unstable in the event of a worker process crash potentially leaving the web server unusable.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Enabled to True.

Check Content

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Enabled is set to True. If not, this is a finding.

Responsibility

Web Administrator

An application pool’s rapid fail protection settings must be managed.

Finding ID
WA000-WI6036 IIS7
Rule ID
SV-32605r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6036
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid fail protection must be set to a suitable value. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or that it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Failure Interval to 5.

Check Content

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Failure Interval is set to 5. If not, this is a finding. NOTE: If the site has operational reasons to set Failure Interval to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

The application pool identity must be defined for each web-site.

Finding ID
WA000-WI6040 IIS7
Rule ID
SV-46365r2_rule
Severity
Cat I
CCE
(None)
Group Title
WA000-WI6040
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Worker Process Identity is the user defined to run an application pool. The IIS 7 worker processes, by default runs under the NetworkService account. Creating a custom identity for each application pool will better track issues occurring within each web-site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Identity to ApplicationPoolIdentity, Network Service or a custom identity with rights and privileges equal to or less than the built-in security principle.

Check Content

This check is only applicable when IIS is running on Windows Server 2008 SP2 or Windows Server 2008 R2. 1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Identity is set to ApplicationPoolIdentity, Network Service or a custom identity. If not, this is a finding.

Responsibility

Web Administrator

Web sites must utilize ports, protocols, and services according to PPSM guidelines.

Finding ID
WG610 IIS7
Rule ID
SV-33822r2_rule
Severity
Cat III
CCE
(None)
Group Title
WG610
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. The IAM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.

Fix Text

Ensure the web site enforces the use of HTTP and HTTPS in accordance with PPSM guidance. 1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane, click Bindings. 4. Edit to change an existing binding and set the correct ports and protocol.

Check Content

Review the web site to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. 1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane, click Bindings. 4. Review the ports and protocols. If unknown ports or protocols are used, then this is a finding.

Responsibility

Information Assurance Officer

Web content directories must not be anonymously shared.

Finding ID
WG210 IIS7
Rule ID
SV-32529r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG210
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit this access and compromise the web content or cause web server performance problems.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Edit Permissions on the Actions Pane. 4. Select the Sharing button. 5. Click Share and then click stop sharing.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Edit Permissions on the Actions Pane. 4. Click the Sharing tab. 5. If there are any anonymous shares under Network File and Folder sharing, this is a finding.

Responsibility

System Administrator

All interactive programs must be placed in unique designated folders.

Finding ID
WG400 IIS7
Rule ID
SV-32327r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG400
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

CGI & ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI & ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the SA control over what goes into those folders and to facilitate access control at the folder level.

Fix Text

All interactive programs must be placed in unique designated folders based on CGI or ASP script type. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Move each script type to its unique designated folder. 5. Set the permissions to the scripts folders as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ

Check Content

Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the web site does not utilize CGI or ASP, this finding is N/A. All interactive programs must be placed in unique designated folders based on CGI or ASP script type. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Each script type must be in its unique designated folder. If scripts are not segregated from web content and in their own unique folders, then this is a finding.

Responsibility

System Administrator

All interactive programs must have restrictive access controls.

Finding ID
WG410 IIS7
Rule ID
SV-32326r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG410
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

CGI is a programming standard for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and JavaScript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.

Fix Text

All interactive programs must have restrictive permissions. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 4. Search for the listed script extensions. 5. Set the permissions to the CGI scripts as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ

Check Content

Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the web site does not utilize CGI, this finding is N/A. All interactive programs must have restrictive permissions. 1. Open the IIS Manager. 2. Right-click on the Site name and select Explore. 3. Search for the listed script extensions. 4. Set the permissions to the CGI scripts as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId: READ Custom Service Account: READ Users: READ If the permissions listed above are less restrictive, this is a finding.

Responsibility

Web Administrator

Backup interactive scripts must be removed from the web site.

Finding ID
WG420 IIS7
Rule ID
SV-32630r3_rule
Severity
Cat III
CCE
(None)
Group Title
WG420
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today to search web servers for such files and are able to exploit the information contained in them.

Fix Text

Remove the backup files from the production web site.

Check Content

This check is limited to CGI/interactive content and not static HTML. Search the IIS Root and Site Directories for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or ‘copy of...’. If files with these extensions are found, this is a finding.

Responsibility

System Administrator

Web sites must limit the number of simultaneous requests.

Finding ID
WG110 IIS7
Rule ID
SV-32323r6_rule
Severity
Cat II
CCE
(None)
Group Title
WG110
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web-site, facilitating a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive).

Fix Text

For the site under review, determine the maximum number of connections needed. 1. Open an administrator command prompt. 2. CD \Windows\system32\inetserv 3. Enter the command: appcmd set config -section:system.applicationHost/sites "/[name='Default Web Site'].limits.maxConnections:X" /commit:apphost Note: Replace SITENAME with the site under review and X with the maximum number of connections allowable. 4. Enter the command to verify changes: appcmd list config –section:system.applicationHost/sites>out.txt (opens output in Notepad).

Check Content

1. Open an administrator command prompt. 2. CD \Windows\system32\inetsrv 3. Enter the command: appcmd list config /section:system.applicationHost/sites > out.txt (opens output in Notepad). 4. Review the results and verify each website has a value greater than zero listed for maxconnections parameter. If not, this is a finding. If nothing is listed, this is also a finding.

Responsibility

Web Administrator

Each readable web document directory must contain a default, home, index, or equivalent document.

Finding ID
WG170 IIS7
Rule ID
SV-32324r2_rule
Severity
Cat III
CCE
(None)
Group Title
WG170
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Default Document. 4. In the Action pane select Enable. 5. Click the Content View tab and ensure there is a document of that type in the directory.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click Default Document. 4. In the Actions Pane, verify the Default Document feature is enabled. If not, this is a finding. 5. Review the document types. 6. Click the Content View tab and ensure there is a document of that type in the directory. If not, this is a finding.

Responsibility

Web Administrator

Web server/site administration must be performed over a secure path.

Finding ID
WG230 IIS7
Rule ID
SV-32329r3_rule
Severity
Cat I
CCE
(None)
Group Title
WG230
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used. An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.

Fix Text

Ensure the web server administration is only performed over a secure path.

Check Content

If web administration is performed at the console, this check is NA. If web administration is performed remotely the following checks will apply: If administration of the server is performed remotely, it will only be performed securely by system administrators. If web site administration or web application administration has been delegated, those users will be documented and approved by the ISSO. Remote administration must be in compliance with any requirements contained within the Windows Server STIGs, and any applicable network STIGs. Remote administration of any kind will be restricted to documented and authorized personnel. All users performing remote administration must be authenticated. All remote sessions will be encrypted and they will utilize FIPS 140-2 approved protocols. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. Review with site management how remote administration, if applicable, is configured on the web site. If remote management meets the criteria listed above, this is not a finding. If remote management is utilized and does not meet the criteria listed above, this is a finding.

Responsibility

System Administrator

Web-site logging must be enabled.

Finding ID
WG240 IIS7
Rule ID
SV-32636r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG240
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information.

Fix Text

1. Open the IIS Manager. 2. Click the site name. 3. Double-click Logging. 4. Click the Enable option from the Action Pane, click apply.

Check Content

1. Open the IIS Manager. 2. Click the site name. 3. Double-click Logging 4. Ensure logging is enabled. If logging is not enabled, this is a finding.

Responsibility

System Administrator

Only web sites that have been fully reviewed and tested will exist on a production web server.

Finding ID
WG260
Rule ID
SV-2254r3_rule
Severity
Cat II
CCE
(None)
Group Title
WG260
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable.

Fix Text

The presences of portions of the web site that proclaim Under Construction or Under Development are clear indications that a production web server is being used for development. The web administrator will ensure that all pages that are in development are not installed on a production web server.

Check Content

Query the ISSO, the SA, and the web administrator to find out if development web sites are being housed on production web servers. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? The reviewer can also do a manual check or perform a navigation of the web site via a browser could be used to confirm the information provided from interviewing the web staff. Graphics or texts which proclaim Under Construction or Under Development are frequently used to mark folders or directories in that status. If Under Construction or Under Development web content is discovered on the production web server, this is a finding.

Responsibility

Web Administrator

Access to the web content and script directories must be restricted.

Finding ID
WG290 IIS7
Rule ID
SV-32331r2_rule
Severity
Cat I
CCE
(None)
Group Title
WG290
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Excessive permission for the anonymous web user account is a common fault contributing to the compromise of a web server. If this account is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane select Edit Permissions. 4. Select the Security tab. 5. Set the permissions for the accounts IUSR and Everyone to read.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. In the Action Pane select Edit Permissions. 4. Select the Security tab. 5. Review the permissions for the accounts. If the IUSR or Everyone Account permission is greater than read, this is a finding.

Responsibility

System Administrator

A web site must not contain a robots.txt file.

Finding ID
WG310 IIS7
Rule ID
SV-32333r4_rule
Severity
Cat II
CCE
(None)
Group Title
WG310
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Under the Actions pane, click Explore. 4. Delete the robots.txt file. NOTE: If there is information on the web site that needs protection from search engines and public view, then other methods must be used to safeguard the data.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Content View tab. 4. If the robots.txt file does exist, this is a finding.

Responsibility

Web Administrator

A private web server must utilize an approved TLS version.

Finding ID
WG340 IIS7
Rule ID
SV-32334r5_rule
Severity
Cat II
CCE
(None)
Group Title
WG340
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings Icon. 4. Click the Require SSL and Require SSL 128-Bit check boxes. Note: If the Required SSL 128-Bit setting is not visible, the setting can be set by clicking the site node and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. Click the value beside the sslFlags and select ssl128 in the dropdown list. 5. Set the version of SSL/TLS by creating and setting the following registry to not allow anything lower than TLS. Ensure the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings Icon. 4. Ensure Require SSL and Require SSL 128-Bit are checked. Note: If the Required SSL 128-Bit setting is not visible, the setting can be viewed by clicking the site under review and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. The value for sslFlags should be ssl128. If not, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL\TLS also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value "Enabled", this would also be a finding. The keys for TLS 1.0 do not require the "Enabled" value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS. If the "Enabled" value is present and set to 0, this is a finding. TLS 1.1 and 1.2 are not supported in versions prior to IIS 7.5. If the version of IIS is prior to 7.5, the check for TLS 1.1 and 1.2 is NA. TLS 1.1 and 1.2 are not enabled by default, therefore the following registry keys must exist and contain the the following values to enable TLS 1.1 and 1.2. DisabledByDefault REG_DWORD 0 Enabled REG_DWORD 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server If any of the registry keys for TLS 1.1 or TLS 1.2 are not present or are not set correctly, this is a finding. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificate for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.

Responsibility

Web Administrator

A private web server must have a valid server certificate.

Finding ID
WG350 IIS7
Rule ID
SV-32531r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG350
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.

Fix Text

1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Import a valid DoD certificate and remove any non-DoD certificates.

Check Content

1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Double-Click each certificate and verify the certificate path is to a DoD root CA. If not, this is a finding.

Responsibility

Web Administrator

Unapproved script mappings in IIS 7 must be removed.

Finding ID
WA000-WI050 IIS7
Rule ID
SV-32335r4_rule
Severity
Cat I
CCE
(None)
Group Title
WA000-WI050
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

IIS 7 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 7, Request Filtering and Handler Mappings. For Handler Mappings, the ISSO must document and approve all allowable file extensions the web site allows (white list) and denies (black list) by the web-site. The white list and black list will be compared to the Handler Mappings in IIS 7. Handler Mappings at the site level take precedence over Handler Mappings at the server level.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click on Handler Mappings. 4. Remove any file extensions which are listed on the black list and for which a Handler Mapping has been configured.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click on Handler Mappings. If any file extensions on the black list are configured with a Handler Mapping, this is a finding.

Responsibility

Web Administrator

Debug must be turned off on a production website.

Finding ID
WA000-WI6140 IIS7
Rule ID
SV-32662r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI6140
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being display to users.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation 4. Scroll down to the Behavior section and set the value for Debug to False.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation. 4. Scroll down to the Behavior section and ensure the value for Debug is set to False. If not, this is a finding. NOTE: If the .NET feature is not installed, this check is not applicable.

Responsibility

Web Administrator

The production website must utilize SHA1 encryption for Machine Key.

Finding ID
WA000-WI6180 IIS7
Rule ID
SV-33314r4_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6180
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, forms authentication, membership and roles, and anonymous identification. Ensuring a strong encryption method can mitigate the risk of data tampering in crucial functional areas such as forms authentication cookies or view state.

Fix Text

1. Open the "IIS Manager". 2. Click the site name under review. 3. Double-click the "Machine Key" in the website "Home Pane". 4. Set the "Validation method" to "SHA1".

Check Content

1. Open the "IIS Manager". 2. Click the site name under review. 3. Double-click the "Machine Key" in the website "Home Pane". 4. Ensure "SHA1" is selected for the "Validation method". If not, this is a finding.

Responsibility

Web Administrator

The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients.

Finding ID
WA000-WI6165
Rule ID
SV-32682r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI6165 IIS7
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane; set each error message to “Detailed errors for local requests and custom error pages for remote requests”.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane. If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.

Responsibility

Web Administrator

The web-site must limit the number of bytes accepted in a request.

Finding ID
WA000-WI6210
Rule ID
SV-32692r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6210
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of bytes the server will accept in a request.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxAllowedContentLength value to 30000000.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxAllowedContentLength value is not set to 30000000, this is a finding. NOTE: If the site has operational reasons to set maxAllowedContentLength to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

The production web-site must limit the MaxURL.

Finding ID
WA000-WI6220
Rule ID
SV-32693r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6220
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The MaxURL Request Filter limits the number of bytes the server will accept in a URL.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxURL value to 4096.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxURL value is not set to 4096, this is a finding. NOTE: If the site has operational reasons to set maxURL to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

The production web-site must configure the Maximum Query String limit.

Finding ID
WA000-WI6230
Rule ID
SV-32694r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6230
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter describes the upper limit on allowable query string lengths. Upon exceeding the configured value, IIS will generate a Status Code 404.15.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the Maximum Query String value to 2048.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the Maximum Query String value is not set to 2048, this is a finding. NOTE: If the site has operational reasons to set Maximum Query String to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

The web-site must not allow non-ASCII characters in URLs.

Finding ID
WA000-WI6240
Rule ID
SV-32695r4_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6240
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow high-bit characters checkbox.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow high-bit characters checkbox is checked, this is a finding. NOTE: If the site has operational reasons to set allow high-bit characters to checked, this vulnerability can be documented locally by the ISSM/ISSO.

Responsibility

Web Administrator

The web-site must not allow double encoded URL requests.

Finding ID
WA000-WI6250
Rule ID
SV-32696r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6250
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. When the allow double escaping option is disabled it prevents attacks that rely on double-encoded requests.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow double escaping checkbox.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow double escaping checkbox is checked, this is a finding.

Responsibility

Web Administrator

The production web-site must filter unlisted file extensions in URL requests.

Finding ID
WA000-WI6260
Rule ID
SV-32697r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6260
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The allow unlisted property of the File Extensions Request Filter enables rejection of requests containing specific file extensions not defined in the File Extensions filter. Tripping this filter will cause IIS to generate a Status Code 404.7.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow unlisted file extensions checkbox.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If allow unlisted file extensions checkbox is checked, this is a finding.

Responsibility

Web Administrator

The web document (home) directory must be in a separate partition from the web server’s system files.

Finding ID
WG205 IIS7
Rule ID
SV-32378r3_rule
Severity
Cat II
CCE
(None)
Group Title
WG205
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file the risk for unauthorized access to these protected files is increased. Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings from the Actions Pane. 4. Change the Physical Path to the new partition and directory location.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings from the "Actions" Pane. 4. Review the Physical Path. If the Path is on the same partition as the OS, this is a finding. Note: If the ISSO has accepted the risk of not configuring this setting due to hosted application operability issues or failures, this is not a finding.

Responsibility

System Administrator

Indexing Services must only index web content.

Finding ID
WA000-WI070 IIS7
Rule ID
SV-32379r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI070
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The indexing service can be used to facilitate a search function for web-sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.

Fix Text

1. Run MMC. 2. Add the Indexing Service snap-in. 3. Edit the indexed directories to only include web document directories.

Check Content

1. Start regedit. 2. Navigate to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\. 3. If this key exists then indexing is enabled; if the key does not exist then this check is N/A. 4. Review the Catalogs keys to determine if directories other than web document directories are being indexed. If so, this is a finding.

Responsibility

System Administrator

The required DoD banner page must be displayed to authenticated users accessing a DoD private website.

Finding ID
WG265 IIS7
Rule ID
SV-32642r3_rule
Severity
Cat III
CCE
(None)
Group Title
WG265
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.

Fix Text

Configure a DoD private website to display the required DoD banner page when authentication is required for user access.

Check Content

The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. If a banner is required, the following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” OR If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: "I've read & consent to terms in IS user agreem't." NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. If the access-controlled website does not display this banner page before entry, this is a finding.

Responsibility

Web Administrator

A private web-sites authentication mechanism must use client certificates.

Finding ID
WG140 IIS7
Rule ID
SV-32380r4_rule
Severity
Cat II
CCE
(None)
Group Title
WG140
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web-sites.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings icon. 4. Click Clients Certificate Required button.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings icon. 4. Ensure Clients Certificate Required is checked. If not, this is a finding. NOTE: If the site has operational reasons to set Clients Certificate Required to unchecked, this vulnerability can be documented locally by the ISSM/ISSO.

Responsibility

Web Administrator

All web-sites must be assigned a default Host header.

Finding ID
WG520 IIS7
Rule ID
SV-32644r4_rule
Severity
Cat III
CCE
(None)
Group Title
WG520
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

In order to reduce the possibility of DNS rebinding attacks and IP-based scans, all web-sites allowing HTTP/HTTPS over ports 80/443 will be assigned default Host headers.

Fix Text

1. Open the IIS Manager. 2. In the “Connections” pane, expand the “Sites” node in the tree. Select the site name under review. 3. In the “Actions” pane, select “Bindings”. 4. In the “Site Bindings” dialog box, select the binding to add a host header and then click “Edit” or “Add”. 5. In the “Host” name box, type a host header for the site for both port 80 for HTTP and port 443 for HTTPS. 6. Click “OK”.

Check Content

1. Open the IIS Manager. 2. In the “Connections” pane, expand the “Sites” node in the tree. Select the site name under review. 3. In the “Actions” pane, select “Bindings”. 4. Each site should have a hostname entry (at a minimum) and specific IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. If not, this is a finding.

Responsibility

System Administrator

Directory Browsing must be disabled.

Finding ID
WA000-WI090 IIS7
Rule ID
SV-32466r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI090
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Directory Browsing feature can be used to facilitate a directory traversal exploit. Directory browsing must be disabled.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Directory browsing icon. 4. Click Disable in the Actions Pane to disable Directory Browsing.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Click Directory browsing icon. 4. In the Actions Pane ensure Directory Browsing is disabled. If not, this is a finding.

Responsibility

Web Administrator