Check: IISW-SI-000219
Microsoft IIS 8.5 Site STIG:
IISW-SI-000219
(in versions v2 r9 through v2 r4)
Title
Each IIS 8.5 website must be assigned a default host header. (Cat II impact)
Discussion
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Check Content
Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding. Note: If HTTP/Port 80 is not being used, and isn’t configured as below, this is not a finding. Note: If the server is hosting SharePoint, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Right-click on the site name under review. Select “Edit Bindings”. Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. If both hostname entries and unique IP addresses are not configure to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding.
Fix Text
Note: If the server is hosting SharePoint, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Right-click on the site name under review. Select “Edit Bindings”. Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. Click "OK". Select "Apply" from the "Actions" pane.
Additional Identifiers
Rule ID: SV-214459r879588_rule
Vulnerability ID: V-214459
Group Title: SRG-APP-000142-WSR-000089
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |