Check: IIST-SV-000118
Microsoft IIS 10.0 Server STIG:
IIST-SV-000118
(in versions v3 r2 through v1 r1)
Title
The IIS 10.0 web server must only contain functions necessary for operation. (Cat II impact)
Discussion
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services deemed non-essential to the web server mission or that adversely impact server performance.
Check Content
Click “Start”. Open Control Panel. Click “Programs”. Click “Programs and Features”. Review the installed programs. If any programs are installed other than those required for the IIS 10.0 web services, this is a finding. Note: If additional software is needed, supporting documentation must be signed by the ISSO.
Fix Text
Remove all unapproved programs and roles from the production IIS 10.0 web server.
Additional Identifiers
Rule ID: SV-218793r960963_rule
Vulnerability ID: V-218793
Group Title: SRG-APP-000141-WSR-000075
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
Controls
| Number | Title |
|---|---|
| CM-7 |
Least Functionality |