STIGQter: STIG Summary: Microsoft IIS 8.5 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 8.5 web server must be tuned to handle the operational requirements of the hosted application.

DISA Rule

SV-214434r539437_rule

Vulnerability Number

V-214434

Group Title

SRG-APP-000435-WSR-000148

Rule Version

IISW-SV-000151

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Access the IIS 8.5 web server registry.

Verify the following values are present and configured. The required setting depends upon the requirements of the application. These settings have to be explicitly configured to show a conscientious tuning has been made.

Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\

Configure the following registry keys to levels to accommodate the hosted applications.

"URIEnableCache"
"UriMaxUriBytes"
"UriScavengerPeriod"

Check Contents

If the IIS 8.5 web server is not hosting any applications, this is Not Applicable.

If the IIS 8.5 web server is hosting applications, consult with the System Administrator to determine risk analysis performed when application was written and deployed to the IIS 8.5 web server.

Obtain documentation on the configuration.

Verify, at a minimum, the following tuning settings in the registry.

Access the IIS 8.5 web server registry.

Verify the following values are present and configured. The required setting depends upon the requirements of the application.

Recommended settings are not provided as these settings have to be explicitly configured to show a conscientious tuning has been made.

Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\
"URIEnableCache"
"UriMaxUriBytes"
"UriScavengerPeriod"

If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" and "UriScavengerPeriod", this is a finding.

Vulnerability Number

V-214434

Documentable

False

Rule Version

IISW-SV-000151

Severity Override Guidance

If the IIS 8.5 web server is not hosting any applications, this is Not Applicable.

If the IIS 8.5 web server is hosting applications, consult with the System Administrator to determine risk analysis performed when application was written and deployed to the IIS 8.5 web server.

Obtain documentation on the configuration.

Verify, at a minimum, the following tuning settings in the registry.

Access the IIS 8.5 web server registry.

Verify the following values are present and configured. The required setting depends upon the requirements of the application.

Recommended settings are not provided as these settings have to be explicitly configured to show a conscientious tuning has been made.

Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\
"URIEnableCache"
"UriMaxUriBytes"
"UriScavengerPeriod"

If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" and "UriScavengerPeriod", this is a finding.

Check Content Reference

M

Target Key

4000

Comments