STIGQter: STIG Summary: Microsoft IIS 10.0 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Each IIS 10.0 website must be assigned a default host header.

DISA Rule

SV-218748r558649_rule

Vulnerability Number

V-218748

Group Title

SRG-APP-000142-WSR-000089

Rule Version

IIST-SI-000219

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Right-click on the site name under review.

Select "Edit Bindings".

Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

Click "OK".

Select "Apply" from the "Actions" pane.

Check Contents

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.
Right-click on the site name under review.
Select "Edit Bindings".

Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

If both hostname entries and unique IP addresses are not configured to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding.

Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.

Note: If HTTP/Port 80 is not being used, and is not configured as above, this is not a finding.

Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Vulnerability Number

V-218748

Documentable

False

Rule Version

IIST-SI-000219

Severity Override Guidance

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.
Right-click on the site name under review.
Select "Edit Bindings".

Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

If both hostname entries and unique IP addresses are not configured to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding.

Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.

Note: If HTTP/Port 80 is not being used, and is not configured as above, this is not a finding.

Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Check Content Reference

M

Target Key

4051

Comments