STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft IIS 10.0 Site Security Technical Implementation Guide

Version

V2R15

Benchmark ID

IIS_10-0_Site_STIG

Total Checks

44

Tags

web

CAT I: 2CAT II: 42CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (44)

V-218736MEDIUMThe IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.V-218737MEDIUMA private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.V-218738MEDIUMA public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.V-218739MEDIUMBoth the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.V-218740MEDIUMAn IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.V-218741MEDIUMThe IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events.V-218742MEDIUMThe IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.V-218743MEDIUMThe IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.V-218744MEDIUMMappings to unused and vulnerable scripts on the IIS 10.0 website must be removed.V-218745MEDIUMThe IIS 10.0 website must have resource mappings set to disable the serving of certain file types.V-218748MEDIUMEach IIS 10.0 website must be assigned a default host header.V-218749MEDIUMA private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.V-218750HIGHAnonymous IIS 10.0 website access accounts must be restricted.V-218751MEDIUMThe IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.V-218752MEDIUMThe IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.V-218753MEDIUMThe IIS 10.0 website must be configured to limit the maxURL.V-218754MEDIUMThe IIS 10.0 website must be configured to limit the size of web requests.V-218755MEDIUMThe IIS 10.0 websites Maximum Query String limit must be configured.V-218756MEDIUMNon-ASCII characters in URLs must be prohibited by any IIS 10.0 website.V-218757MEDIUMDouble encoded URL requests must be prohibited by any IIS 10.0 website.V-218758MEDIUMUnlisted file extensions in URL requests must be filtered by any IIS 10.0 website.V-218759MEDIUMDirectory Browsing on the IIS 10.0 website must be disabled.V-218760MEDIUMWarning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.V-218761MEDIUMDebugging and trace information used to diagnose the IIS 10.0 website must be disabled.V-218762MEDIUMThe Idle Time-out monitor for each IIS 10.0 website must be enabled.V-218763MEDIUMThe IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.V-218764MEDIUMThe IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.V-218765MEDIUMThe IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.V-218766MEDIUMThe IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.V-218767MEDIUMThe IIS 10.0 website must only accept client certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs).V-218768HIGHThe IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.V-218769MEDIUMIIS 10.0 website session IDs must be sent to the client using TLS.V-218770MEDIUMCookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data.V-218771MEDIUMThe IIS 10.0 website must have a unique application pool.V-218772MEDIUMThe maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set.V-218775MEDIUMThe application pool for each IIS 10.0 website must have a recycle time explicitly set.V-218777MEDIUMThe application pools rapid fail protection for each IIS 10.0 website must be enabled.V-218778MEDIUMThe application pools rapid fail protection settings for each IIS 10.0 website must be managed.V-218779MEDIUMInteractive scripts on the IIS 10.0 web server must be located in unique and designated folders.V-218780MEDIUMInteractive scripts on the IIS 10.0 web server must have restrictive access controls.V-218781MEDIUMBackup interactive scripts on the IIS 10.0 server must be removed.V-218782MEDIUMThe required DoD banner page must be displayed to authenticated users accessing a DoD private website.V-278953MEDIUMHTTPAPI Server version must be removed from the HTTP Response Header information.V-283673MEDIUMThe log information from the IIS 10.0 website must be protected from unauthorized modification or deletion.