IIS 8.5 Server STIG (version 1, rel. 10)

This policy compares the configuration for a IIS 8.5 Server to the criteria defined in the Microsoft IIS 8.5 Server STIG and advises you of the results for each rule, this server, and for the policy. The following rules are not included in this policy:

  • V-76679 - The IIS 8.5 web server remote authors or content providers must only use secure encrypted logons and connections to upload web server content.
  • V-76685 - An IIS 8.5 web server behind a load balancer or proxy server, must produce log records containing the source client IP and destination information.
  • V-76695 - The log information from the IIS 8.5 web server must be protected from unauthorized modification or deletion.
  • V-76697 - The log data and records from the IIS 8.5 web server must be backed up onto a different system or media.
  • V-76699 - The IIS 8.5 web server must not perform user management for hosted applications.
  • V-76701 - The IIS 8.5 web server must only contain functions necessary for operation.
  • V-76705 - All IIS 8.5 web server sample code, example applications, and tutorials must be removed from a production IIS 8.5 server.
  • V-76707 - The accounts created by uninstalled features (i.e., tools, utilities, specific, etc.) must be deleted from the IIS 8.5 server.
  • V-76709 - The IIS 8.5 web server must be reviewed on a regular basis to remove any Operating System features, utility programs, plug-ins, and modules not necessary for operation.
  • V-76715 - The IIS 8.5 web server must perform RFC 5280-compliant certification path validation.
  • V-76717 - Java software installed on a production IIS 8.5 web server must be limited to .class files and the Java Virtual Machine.
  • V-76719 - IIS 8.5 Web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
  • V-76721 - The IIS 8.5 web server must separate the hosted applications from hosted web server management functionality.
  • V-76729 - The IIS 8.5 web server must augment re-creation to a stable and known baseline.
  • V-76735 - The IIS 8.5 web server Indexing must only index web content.
  • V-76739 - Remote access to the IIS 8.5 web server must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.
  • V-76741 - The IIS 8.5 web server must restrict inbound connections from nonsecure zones.
  • V-76743 - The IIS 8.5 web server must provide the capability to immediately disconnect or disable remote access to the hosted applications.
  • V-76747 - The IIS 8.5 web server must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 web server.
  • V-76749 - Access to web administration tools must be restricted to the web manager and the web managers designees.
  • V-76751 - The IIS 8.5 web server must not be running on a system providing any other role.
  • V-76755 - The IIS 8.5 web server must be tuned to handle the operational requirements of the hosted application.
  • V-76761 - A web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
  • V-76765 - All accounts installed with the IIS 8.5 web server software and tools must have passwords assigned and default passwords changed.
  • V-76767 - The File System Object component must be disabled on the IIS 8.5 web server.
  • V-95633 - The IIS 8.5 MaxConnections setting must be configured to limit the number of allowed simultaneous session requests.

Product Disclaimer: Please note, this policy is based on the Microsoft IIS 8.5 Server STIG – Ver 1, Rel 10 XCCDF (see the latest definition at https://nvd.nist.gov/ncp/checklist/774), which was published as a tool to improve the security of information systems. Your organization should internally review and assess to what extent, if any, such policy should be incorporated into your environment and how you can best ensure compliance with your internal policies. All policies contain a subset of rules deemed automatable by SolarWinds. SolarWinds makes no warranty, express or implied, or assumes any legal liability or responsibility for the policies contained herein, including the accuracy, completeness, or usefulness of any information.