Check: IIST-SV-000148
Microsoft IIS 10.0 Server STIG:
IIST-SV-000148
(in versions v2 r10 through v1 r0.1)
Title
The IIS 10.0 web server must not be running on a system providing any other role. (Cat II impact)
Discussion
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services deemed non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments.
Check Content
Review programs installed on the OS. Open Control Panel. Open Programs and Features. The following programs may be installed without any additional documentation: Administration Pack for IIS IIS Search Engine Optimization Toolkit Microsoft .NET Framework version 3.5 SP1 or greater Microsoft Web Platform Installer version 3.x or greater Virtual Machine Additions Review the installed programs, if any programs are installed other than those listed above, this is a finding. Note: If additional software is needed and has supporting documentation signed by the ISSO, this is not a finding.
Fix Text
Remove all unapproved programs and roles from the production web server.
Additional Identifiers
Rule ID: SV-218817r879756_rule
Vulnerability ID: V-218817
Group Title: SRG-APP-000383-WSR-000175
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
Controls
Number | Title |
---|---|
CM-7 (1) |
Periodic Review |