Check: IIST-SV-000123
Microsoft IIS 10.0 Server STIG:
IIST-SV-000123
(in versions v2 r10 through v1 r1)
Title
The IIS 10.0 web server must be reviewed on a regular basis to remove any Operating System features, utility programs, plug-ins, and modules not necessary for operation. (Cat II impact)
Discussion
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is a danger at the application layer of the OSI model. Office suites, development tools, and graphic editors are examples of such troublesome programs. Individual productivity tools have no legitimate place or use on an enterprise production web server and are prone to security risks. The web server installation process must provide options allowing the installer to choose which utility programs, services, and modules are to be installed or removed. By having a process for installation and removal, the web server is guaranteed to be in a more stable and secure state than if these services and programs were installed and removed manually.
Check Content
Consult with the System Administrator and review all of the IIS 10.0 and Operating System features installed. Determine if any features installed are no longer necessary for operation. If any utility programs, features, or modules are installed which are not necessary for operation, this is a finding. If any unnecessary Operating System features are installed, this is a finding.
Fix Text
Remove all utility programs, Operating System features, or modules installed that are not necessary for web server operation.
Additional Identifiers
Rule ID: SV-218797r879587_rule
Vulnerability ID: V-218797
Group Title: SRG-APP-000141-WSR-000080
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |