STIGQter: STIG Summary: Microsoft IIS 10.0 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.

DISA Rule

SV-218738r558649_rule

Vulnerability Number

V-218738

Group Title

SRG-APP-000014-WSR-000006

Rule Version

IIST-SI-000204

Severity

CAT II

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Double-click the "SSL Settings" icon.

Select "Require SSL" check box.

Select "Apply" from the "Actions" pane.

Check Contents

Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Double-click the "SSL Settings" icon.

Verify "Require SSL" check box is selected.

If the "Require SSL" check box is not selected, this is a finding.

Vulnerability Number

V-218738

Documentable

False

Rule Version

IIST-SI-000204

Severity Override Guidance

Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Double-click the "SSL Settings" icon.

Verify "Require SSL" check box is selected.

If the "Require SSL" check box is not selected, this is a finding.

Check Content Reference

M

Target Key

4051

Comments