Check: IIST-SI-000239
Microsoft IIS 10.0 Site STIG:
IIST-SI-000239
(in versions v2 r10 through v1 r1)
Title
The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines. (Cat II impact)
Discussion
Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services deemed to be non-essential to the server mission, too unsecure, or prohibited by the PPSM CAL and vulnerability assessments. Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. The ISSM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, PPSM, and the associated PPS Assurance Category Assignments List.
Check Content
Review the website to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. In the "Action" Pane, click "Bindings". Review the ports and protocols. If unknown ports or protocols are used, then this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. In the "Action" Pane, click "Bindings". Edit to change an existing binding and set the correct ports and protocol.
Additional Identifiers
Rule ID: SV-218766r961470_rule
Vulnerability ID: V-218766
Group Title: SRG-APP-000383-WSR-000175
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001762 |
Disable or remove organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure. |
Controls
Number | Title |
---|---|
CM-7(1) |
Periodic Review |