Title

The Idle Time-out monitor for each IIS 8.5 website must be enabled. (Cat II impact)

Discussion

The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received. The purpose of this attribute is to conserve system resources; the default value for idle time-out is 20 minutes. By default, the World Wide Web (WWW) service establishes an overlapped recycle, in which the worker process to be shut down is kept running until after a new worker process is started.

Check Content

If this IIS 8.5 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the Application Pools. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "Process Model" section and verify the value for "Idle Time-out" is set to "20". If the "Idle Time-out" is not set to "20" or less, this is a finding. If the "Idle Time-out" is set to "0", this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the Application Pools. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "Process Model" section and set the value for "Idle Time-out" to "20" or less.

Additional Identifiers

Rule ID: SV-214474r879673_rule

Vulnerability ID: V-214474

Group Title: SRG-APP-000295-WSR-000012

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.