STIGQter: STIG Summary: Microsoft IIS 8.5 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Each IIS 8.5 website must be assigned a default host header.

DISA Rule

SV-214459r508659_rule

Vulnerability Number

V-214459

Group Title

SRG-APP-000142-WSR-000089

Rule Version

IISW-SI-000219

Severity

CAT II

CCI(s)

CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

Fix Recommendation

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Right-click on the site name under review.

Select “Edit Bindings”.

Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

Click "OK".

Select "Apply" from the "Actions" pane.

Check Contents

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Right-click on the site name under review.
Select “Edit Bindings”.

Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

If both hostname entries and unique IP addresses are not configure to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding.

Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.

Note: If HTTP/Port 80 is not being used, and isn’t configured as above, this is not a finding.

Each IIS 8.5 website must be assigned a default host header.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments