Title

The IIS 8.5 web server must only contain functions necessary for operation. (Cat II impact)

Discussion

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Check Content

Click on “Start”. Open Control Panel. Click on “Programs”. Click on “Programs and Features”. Review the installed programs, if any programs are installed other than those required for the IIS 8.5 web services, this is a finding. Note: If additional software is needed supporting documentation must be signed by the ISSO.

Fix Text

Remove all unapproved programs and roles from the production IIS 8.5 web server.

Additional Identifiers

Rule ID: SV-214408r879587_rule

Vulnerability ID: V-214408

Group Title: SRG-APP-000141-WSR-000075

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.