| Checked | Name | Title |
|---|
| ☐ | SV-218735r558649_rule | The IIS 10.0 website session state must be enabled. |
| ☐ | SV-218736r558649_rule | The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode. |
| ☐ | SV-218737r558649_rule | A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections. |
| ☐ | SV-218738r558649_rule | A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required. |
| ☐ | SV-218739r558649_rule | Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled. |
| ☐ | SV-218740r558649_rule | An IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information. |
| ☐ | SV-218741r558649_rule | The IIS 10.0 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 10.0 website events. |
| ☐ | SV-218742r558649_rule | The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. |
| ☐ | SV-218743r558649_rule | The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. |
| ☐ | SV-218744r558649_rule | Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed. |
| ☐ | SV-218745r558649_rule | The IIS 10.0 website must have resource mappings set to disable the serving of certain file types. |
| ☐ | SV-218746r558649_rule | The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled. |
| ☐ | SV-218748r558649_rule | Each IIS 10.0 website must be assigned a default host header. |
| ☐ | SV-218749r558649_rule | A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity. |
| ☐ | SV-218750r558649_rule | Anonymous IIS 10.0 website access accounts must be restricted. |
| ☐ | SV-218751r558649_rule | The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced. |
| ☐ | SV-218752r558649_rule | The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files. |
| ☐ | SV-218753r558649_rule | The IIS 10.0 website must be configured to limit the maxURL. |
| ☐ | SV-218754r558649_rule | The IIS 10.0 website must be configured to limit the size of web requests. |
| ☐ | SV-218755r558649_rule | The IIS 10.0 websites Maximum Query String limit must be configured. |
| ☐ | SV-218756r558649_rule | Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website. |
| ☐ | SV-218757r558649_rule | Double encoded URL requests must be prohibited by any IIS 10.0 website. |
| ☐ | SV-218758r695276_rule | Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website. |
| ☐ | SV-218759r558649_rule | Directory Browsing on the IIS 10.0 website must be disabled. |
| ☐ | SV-218760r558649_rule | Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths. |
| ☐ | SV-218761r558649_rule | Debugging and trace information used to diagnose the IIS 10.0 website must be disabled. |
| ☐ | SV-218762r558649_rule | The Idle Time-out monitor for each IIS 10.0 website must be enabled. |
| ☐ | SV-218763r558649_rule | The IIS 10.0 websites connectionTimeout setting must be explicitly configured to disconnect an idle session. |
| ☐ | SV-218764r558649_rule | The IIS 10.0 website must provide the capability to immediately disconnect or disable remote access to the hosted applications. |
| ☐ | SV-218765r558649_rule | The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website. |
| ☐ | SV-218766r558649_rule | The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines. |
| ☐ | SV-218767r558649_rule | The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). |
| ☐ | SV-218768r558649_rule | The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates. |
| ☐ | SV-218769r558649_rule | IIS 10.0 website session IDs must be sent to the client using TLS. |
| ☐ | SV-218770r558649_rule | Cookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data. |
| ☐ | SV-218771r558649_rule | The IIS 10.0 website must have a unique application pool. |
| ☐ | SV-218772r558649_rule | The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set. |
| ☐ | SV-218773r558649_rule | The amount of virtual memory an application pool uses for each IIS 10.0 website must be explicitly set. |
| ☐ | SV-218774r558649_rule | The amount of private memory an application pool uses for each IIS 10.0 website must be explicitly set. |
| ☐ | SV-218775r558649_rule | The application pool for each IIS 10.0 website must have a recycle time explicitly set. |
| ☐ | SV-218776r558649_rule | The application pools pinging monitor for each IIS 10.0 website must be enabled. |
| ☐ | SV-218777r558649_rule | The application pools rapid fail protection for each IIS 10.0 website must be enabled. |
| ☐ | SV-218778r558649_rule | The application pools rapid fail protection settings for each IIS 10.0 website must be managed. |
| ☐ | SV-218779r558649_rule | Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders. |
| ☐ | SV-218780r558649_rule | Interactive scripts on the IIS 10.0 web server must have restrictive access controls. |
| ☐ | SV-218781r558649_rule | Backup interactive scripts on the IIS 10.0 server must be removed. |
| ☐ | SV-218782r558649_rule | The required DoD banner page must be displayed to authenticated users accessing a DoD private website. |
STIGQter: STIG Summary: