STIGQter: STIG Summary: Microsoft IIS 10.0 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 10.0 web server must be tuned to handle the operational requirements of the hosted application.

DISA Rule

SV-218819r561041_rule

Vulnerability Number

V-218819

Group Title

SRG-APP-000435-WSR-000148

Rule Version

IIST-SV-000151

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Access the IIS 10.0 web server registry.

Verify the following keys are present and configured. The required setting depends upon the requirements of the application. These settings must be explicitly configured to show a conscientious tuning has been made.

Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\

Configure the following registry keys to levels to accommodate the hosted applications.

"URIEnableCache"
"UriMaxUriBytes"
"UriScavengerPeriod"

Check Contents

If the IIS 10.0 web server is not hosting any applications, this is Not Applicable.

If the IIS 10.0 web server is hosting applications, consult with the System Administrator to determine risk analysis performed when the application was written and deployed to the IIS 10.0 web server.

Obtain documentation on the configuration.

Verify, at a minimum, the following tuning settings in the registry.

Access the IIS 10.0 web server registry.

Verify the following keys are present and configured. The required setting depends upon the requirements of the application.

Recommended settings are not provided as these settings must be explicitly configured to show a conscientious tuning has been made.

Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\
"URIEnableCache"
"UriMaxUriBytes"
"UriScavengerPeriod"

If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" and "UriScavengerPeriod", this is a finding.

Vulnerability Number

V-218819

Documentable

False

Rule Version

IIST-SV-000151

Severity Override Guidance

If the IIS 10.0 web server is not hosting any applications, this is Not Applicable.

If the IIS 10.0 web server is hosting applications, consult with the System Administrator to determine risk analysis performed when the application was written and deployed to the IIS 10.0 web server.

Obtain documentation on the configuration.

Verify, at a minimum, the following tuning settings in the registry.

Access the IIS 10.0 web server registry.

Verify the following keys are present and configured. The required setting depends upon the requirements of the application.

Recommended settings are not provided as these settings must be explicitly configured to show a conscientious tuning has been made.

Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\
"URIEnableCache"
"UriMaxUriBytes"
"UriScavengerPeriod"

If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" and "UriScavengerPeriod", this is a finding.

Check Content Reference

M

Target Key

4052

Comments