Check: IISW-SV-000135
Microsoft IIS 8.5 Server STIG:
IISW-SV-000135
(in versions v2 r7 through v2 r1)
Title
The IIS 8.5 web server must limit the amount of time a cookie persists. (Cat II impact)
Discussion
ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session. Cookies associate session information with client information for the duration of a user’s connection to a website. Using cookies is a more efficient way to track session state than any of the methods that do not use cookies because cookies do not require any redirection.
Check Content
Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable. Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. Under Time-out (in minutes), verify “20 minutes or less” is selected. If the "Use Cookies” mode is selected and Time-out (in minutes) is configured for “20 minutes or less”, this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "cookieless" is set to "UseCookies". If the "cookieless" is not set to "UseCookies", this is a finding.
Fix Text
Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", select the "Use Cookies" mode from the "Mode:" drop-down list. Under “Time-out (in minutes), enter a value of “20 or less”.
Additional Identifiers
Rule ID: SV-214420r879638_rule
Vulnerability ID: V-214420
Group Title: SRG-APP-000223-WSR-000145
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001664 |
The information system recognizes only session identifiers that are system-generated. |
Controls
Number | Title |
---|---|
SC-23 (3) |
Unique Session Identifiers With Randomization |