STIGQter: STIG Summary: Microsoft IIS 10.0 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.

DISA Rule

SV-218736r558649_rule

Vulnerability Number

V-218736

Group Title

SRG-APP-000001-WSR-000002

Rule Version

IIST-SI-000202

Severity

CAT II

CCI(s)

• CCI-000054 - The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.

Weight

10

Fix Recommendation

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Under the ASP.NET section, select "Session State".

Under "Cookie Settings", select the "Use Cookies" from the "Mode:" drop-down list.

Select "Apply" from the "Actions" pane.

Check Contents

Follow the procedures below for each site hosted on the IIS 10.0 web server:
Open the IIS 10.0 Manager.
Click the site name.
Under the "ASP.NET" section, select "Session State".
Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list.
If the "Use Cookies" mode is selected, this is not a finding.

Alternative method:
Click the site name.
Select "Configuration Editor" under the "Management" section.
From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".
Verify the "cookieless" is set to "UseCookies".
If the "cookieless" is not set to "UseCookies", this is a finding.
Note: If IIS 10.0 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.

Vulnerability Number

V-218736

Documentable

False

Rule Version

IIST-SI-000202

Severity Override Guidance

Follow the procedures below for each site hosted on the IIS 10.0 web server:
Open the IIS 10.0 Manager.
Click the site name.
Under the "ASP.NET" section, select "Session State".
Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list.
If the "Use Cookies" mode is selected, this is not a finding.

Alternative method:
Click the site name.
Select "Configuration Editor" under the "Management" section.
From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".
Verify the "cookieless" is set to "UseCookies".
If the "cookieless" is not set to "UseCookies", this is a finding.
Note: If IIS 10.0 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.

Check Content Reference

M

Target Key

4051

Comments