Microsoft IIS 10.0 Site STIG Version Comparison
Microsoft IIS 10.0 Site Security Technical Implementation Guide
There are 10 differences between versions v2 r7 (Oct. 26, 2022) (the "left" version) and v2 r9 (Oct. 25, 2023) (the "right" version).
Check IIST-SI-000203 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.
Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable. Note: Applicable. Note: If the server is hosting SharePoint, this is Not Applicable. Note: If the server is hosting WSUS, this is Not Applicable. Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding.
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
Follow Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Select "Require SSL" check box. Select "Apply" from the "Actions" pane.