STIGQter: STIG Summary: Microsoft IIS 10.0 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).

DISA Rule

SV-218827r695271_rule

Vulnerability Number

V-218827

Group Title

SRG-APP-000516-WSR-000174

Rule Version

IIST-SV-000205

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Enable HSTS via IIS Manager or Powershell.

Check Contents

Access the IIS 10.0 Web Server.

Open IIS Manager.

Click the IIS 10.0 web server name.

Click on HSTS.

Verify “Enable” is checked, and Max-Age is set to something other than “0”.

Verify “IncludeSubDomains” and “Redirect HTTP to HTTPS” are checked.

Click "OK".

If HSTS has not been enabled, this is a finding.

If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable.

The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding.

If the version of Windows Server does not natively support HSTS, this is not a finding.

Vulnerability Number

V-218827

Documentable

False

Rule Version

IIST-SV-000205

Severity Override Guidance

Access the IIS 10.0 Web Server.

Open IIS Manager.

Click the IIS 10.0 web server name.

Click on HSTS.

Verify “Enable” is checked, and Max-Age is set to something other than “0”.

Verify “IncludeSubDomains” and “Redirect HTTP to HTTPS” are checked.

Click "OK".

If HSTS has not been enabled, this is a finding.

If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable.

The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding.

If the version of Windows Server does not natively support HSTS, this is not a finding.

Check Content Reference

M

Target Key

4052

Comments