STIGQter: STIG Summary: Microsoft IIS 10.0 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 10.0 web server must have a global authorization rule configured to restrict access.

DISA Rule

SV-218825r695274_rule

Vulnerability Number

V-218825

Group Title

SRG-APP-000516-WSR-000174

Rule Version

IIST-SV-000159

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Open the IIS 10.0 Manager.
Click the IIS 10.0 web server name.
Double-click the "Authorization Rules" icon.
Remove all groups other than "Administrators".

Check Contents

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the ".NET Authorization Rules" icon.

If any groups other than "Administrators" is listed, this is a finding.

If ASP.NET is not installed, this is Not Applicable.

Vulnerability Number

V-218825

Documentable

False

Rule Version

IIST-SV-000159

Severity Override Guidance

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the ".NET Authorization Rules" icon.

If any groups other than "Administrators" is listed, this is a finding.

If ASP.NET is not installed, this is Not Applicable.

Check Content Reference

M

Target Key

4052

Comments