Microsoft IIS 10.0 Server STIG Version Comparison

There are 13 differences between versions v2 r10 (Oct. 25, 2023) (the "left" version) and v3 r2 (Oct. 24, 2024) (the "right" version).

Check IIST-SV-000220 was added to the benchmark in the "right" version.

This check's original form is available here.

Title

The Request Smuggling filter must be enabled.

Check Content

Open Registry Editor. Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters" Verify "DisableRequestSmuggling” is set to "1". If REG_DWORD DisableRequestSmuggling is not set to 1, this is a finding.

Discussion

Security scans show Request Smuggling vulnerability on IIS server. The vulnerability allows a remote attacker to perform HTTP request smuggling attack. The vulnerability exists due to the way that HTTP proxies (front-end) and web servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests received from multiple sources. A remote attacker can send a specially crafted request to a targeted IIS Server, perform HTTP request smuggling attack and modify responses or retrieve information from another user's HTTP session.

Fix

Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters". Create REG_DWORD "DisableRequestSmuggling” and set it to "1". Note: This can be performed multiple ways; this is an example.