diff --git a/CHANGELOG.md b/CHANGELOG.md
index 77e69a9cd..c5c593b94 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
## [Unreleased]
+* Update PowerSTIG to include LegacyId to assist in determining Legacy Vuln Ids with the new DISA standard. [#788](https://github.com/microsoft/PowerStig/issues/788)
+
## [4.6.0] - 2020-12-01
* Provide Method to install DoD Root Certs for Server OS and Client OS: [#755](https://github.com/microsoft/PowerStig/issues/755)
diff --git a/Tests/Unit/Module/Rule.tests.ps1 b/Tests/Unit/Module/Rule.tests.ps1
index 9775446a4..2e0edd928 100644
--- a/Tests/Unit/Module/Rule.tests.ps1
+++ b/Tests/Unit/Module/Rule.tests.ps1
@@ -15,6 +15,9 @@ try
It 'Should return the rule Id' {
$stig.id | Should Be 'V-1000'
}
+ It 'Should return the legacy Id' {
+ $stig.legacyid | Should Be 'V-1111'
+ }
It 'Should return the Severity' {
$stig.severity | Should Be 'medium'
}
diff --git a/Tests/Unit/Module/STIG.PowerStigXml.tests.ps1 b/Tests/Unit/Module/STIG.PowerStigXml.tests.ps1
index 72dda172b..7f03c871c 100644
--- a/Tests/Unit/Module/STIG.PowerStigXml.tests.ps1
+++ b/Tests/Unit/Module/STIG.PowerStigXml.tests.ps1
@@ -26,9 +26,9 @@ Describe 'Compare-PowerStigXml' {
Describe 'Get-BaseRulePropertyName' {
- It 'Should return 11 base rule types' {
+ It 'Should return 12 base rule types' {
$baseRulePropertyName = Get-BaseRulePropertyName
- $baseRulePropertyName.Count | Should -Be 11
+ $baseRulePropertyName.Count | Should -Be 12
}
}
diff --git a/Tools/TestHelper/Data/samplegroup.xml.txt b/Tools/TestHelper/Data/samplegroup.xml.txt
index c7d0499a8..f0949df6c 100644
--- a/Tools/TestHelper/Data/samplegroup.xml.txt
+++ b/Tools/TestHelper/Data/samplegroup.xml.txt
@@ -13,6 +13,7 @@
Technology
2350
+ {6}
CCE--12345-6
CCI-123456
{4}
diff --git a/Tools/TestHelper/TestHelper.psm1 b/Tools/TestHelper/TestHelper.psm1
index be13b0de6..e7ee2beeb 100644
--- a/Tools/TestHelper/TestHelper.psm1
+++ b/Tools/TestHelper/TestHelper.psm1
@@ -136,6 +136,10 @@ function Get-TestStigRule
[string]
$FixText = 'This is a string of text that tells an admin how to fix an item if it is not currently configured properly and ignored by the parser',
+ [Parameter(Parametersetname = 'UseExisting')]
+ [string]
+ $LegacyId = 'V-1111',
+
[Parameter(Parametersetname = 'UseExisting')]
[Parameter(Parametersetname = 'FileProvided')]
[switch]
@@ -162,7 +166,7 @@ function Get-TestStigRule
{
# Get the samplegroup element text and merge in the parameter strings
$groupElement = Get-Content -Path "$PSScriptRoot\data\sampleGroup.xml.txt" -Encoding UTF8 -Raw
- $groupElement = $groupElement -f $GroupId, $GroupTitle, $RuleTitle, $RuleDescription, $FixText, $CheckContent
+ $groupElement = $groupElement -f $GroupId, $GroupTitle, $RuleTitle, $RuleDescription, $FixText, $CheckContent, $LegacyId
}
# Get and merge the group element data into the xccdf xml document and create an xml object to return
diff --git a/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 b/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1
index 2021fd9c7..ee6ba380a 100644
--- a/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1
+++ b/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1
@@ -75,6 +75,13 @@ class HardCodedRuleConvert
#>
[object] SetRule ([xml.xmlelement] $XccdfRule, [string] $TypeName)
{
+ # Support for HardCodedRule Split rule with Legacy Id present
+ $legacyId = ($XccdfRule.rule.ident | Where-Object -FilterScript {$PSItem.'#text' -match "^V-.*"}).'#text'
+ if ($XccdfRule.id -match '^V-.*\.[a-z]$' -and [string]::IsNullOrEmpty($legacyId) -eq $false)
+ {
+ $legacyId = '{0}.{1}' -f $legacyId, $XccdfRule.id.Split('.')[1]
+ }
+
$newRule = New-Object -TypeName $TypeName -ArgumentList $XccdfRule
$propertyHashtable = Get-HardCodedRuleProperty -CheckContent $XccdfRule.Rule.Check.'check-content'
foreach ($property in $propertyHashtable.Keys)
@@ -85,6 +92,7 @@ class HardCodedRuleConvert
{
$newRule.set_OrganizationValueRequired($true)
}
+ $newRule.set_LegacyId($legacyId)
$newRule.set_Severity($XccdfRule.rule.severity)
$newRule.set_Description($XccdfRule.rule.description)
$newRule.set_RawString($XccdfRule.Rule.check.'check-content')
diff --git a/source/Module/Rule/Convert/ConvertFactory.psm1 b/source/Module/Rule/Convert/ConvertFactory.psm1
index 7cd1e8c2d..9e4daa528 100644
--- a/source/Module/Rule/Convert/ConvertFactory.psm1
+++ b/source/Module/Rule/Convert/ConvertFactory.psm1
@@ -344,6 +344,10 @@ class ConvertFactory
foreach ($convertedrule in $ruleTypeList)
{
$convertedrule.id = "$($Rule.id).$([CHAR][BYTE]$byte)"
+ if ([string]::IsNullOrEmpty($convertedrule.LegacyId) -eq $false)
+ {
+ $convertedrule.LegacyId = "$($convertedrule.LegacyId).$([CHAR][BYTE]$byte)"
+ }
$byte ++
}
}
diff --git a/source/Module/Rule/Rule.psm1 b/source/Module/Rule/Rule.psm1
index 42c44db1c..bc2597efb 100644
--- a/source/Module/Rule/Rule.psm1
+++ b/source/Module/Rule/Rule.psm1
@@ -43,6 +43,7 @@ foreach ($supportFile in $supportFileList)
class Rule : ICloneable
{
[string] $Id
+ [string] $LegacyId
[string] $Title
[severity] $Severity
[status] $ConversionStatus
@@ -102,6 +103,7 @@ class Rule : ICloneable
{
# This relaces the current Invokeclass method
$this.Id = $Rule.Id
+ $this.LegacyId = ($rule.Rule.ident | Where-Object -FilterScript {$PSItem.'#text' -match "^V-.*"}).'#text'
$this.Title = $Rule.Title
$this.Severity = $Rule.rule.severity
$this.Description = $Rule.rule.description
diff --git a/source/StigData/Processed/IISServer-10.0-2.1.xml b/source/StigData/Processed/IISServer-10.0-2.1.xml
index e0c1a97ea..c883cb351 100644
--- a/source/StigData/Processed/IISServer-10.0-2.1.xml
+++ b/source/StigData/Processed/IISServer-10.0-2.1.xml
@@ -1,4 +1,4 @@
-
+
<VulnDiscussion>Logging onto a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.
@@ -6,6 +6,7 @@
An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100103
False
If web administration is performed at the console, this check is NA.
@@ -38,6 +39,7 @@ If remote management is utilized and does not meet the criteria listed above, th
The web server contains a minimal user management function, but the web server user management function does not offer enterprise-wide user management, and user management is not the primary function of the web server. User management for the hosted applications should be done through a facility built for enterprise-wide user management, such as LDAP and Active Directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100119
False
Interview the System Administrator about the role of the IIS 10.0 web server.
@@ -56,6 +58,7 @@ If the IIS 10.0 web server is hosting an application and the SA cannot provide s
The web server must provide the capability to disable, uninstall, or deactivate functionality and services deemed non-essential to the web server mission or that adversely impact server performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100121
False
Click “Start”.
@@ -74,6 +77,7 @@ Note: If additional software is needed, supporting documentation must be signed
<VulnDiscussion>As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. This is in addition to the anonymous web user account. The resources to which these accounts have access must also be closely monitored and controlled. Only the SA needs access to all the system’s capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. The anonymous web user account must not have access to system resources as that account could then control the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100139
False
Obtain a list of the user accounts with access to the system, including all local and domain accounts.
@@ -96,6 +100,7 @@ If this IIS 10 installation is supporting Microsoft Exchange, and not otherwise
When the web server does not offer a method to roll back to a clean baseline, external methods, such as a baseline snapshot or virtualizing the web server, can be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100147
False
Interview the System Administrator for the IIS 10.0 web server.
@@ -108,6 +113,7 @@ If documentation for a disaster recovery has not been established, this is a fin
<VulnDiscussion>The indexing service can be used to facilitate a search function for websites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100153
False
Access the IIS 10.0 Web Server.
@@ -128,6 +134,7 @@ If so, this is a finding.
<VulnDiscussion>Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100157
False
If web administration is performed at the console, this check is NA.
@@ -162,6 +169,7 @@ The web server must provide a capability to disconnect users to a hosted applica
The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100161
False
Interview the System Administrator and Web Manager.
@@ -192,6 +200,7 @@ If the web server is not capable or cannot be configured to disconnect or disabl
The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100165
False
Open the IIS 10.0 Manager.
@@ -222,6 +231,7 @@ The key web service administrative and configuration tools must only be accessib
Satisfies: SRG-APP-000380-WSR-000072, SRG-APP-000435-WSR-000147, SRG-APP-000033-WSR-000169</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100167
False
Right-click "InetMgr.exe", then click "Properties" from the "Context" menu.
@@ -257,6 +267,7 @@ If any other access is observed, this is a finding.
The web server must provide the capability to disable or deactivate network-related services deemed non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100169
False
Review programs installed on the OS.
@@ -281,6 +292,7 @@ Note: If additional software is needed and has supporting documentation signed b
<VulnDiscussion>A Denial of Service (DoS) can occur when the web server is overwhelmed and can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condition even with expected traffic from users. To avoid a DoS, the web server must be tuned to handle the expected traffic for the hosted applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100173
False
If the IIS 10.0 web server is not hosting any applications, this is Not Applicable.
@@ -310,6 +322,7 @@ If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" a
NIST SP 800-52 defines the approved TLS versions for government applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100179
False
Review the web server documentation and deployed configuration to determine which version of TLS is being used.
@@ -320,6 +333,7 @@ If the TLS version is not TLS 1.2 or higher, according to NIST SP 800-52, or if
<VulnDiscussion>Anonymous SMTP relays are strictly prohibited. An anonymous SMTP relay can be a vector for many types of malicious activity not limited to server exploitation for the sending of SPAM mail, access to emails, phishing, DoS attacks, etc. Enabling TLS, authentication, and strictly assigning IP addresses that can communicate with the relay greatly reduce the risk of the implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-102895
False
Interview the System Administrator about the role of the IIS 10.0 web server.
@@ -344,6 +358,7 @@ Without sufficient information establishing when the log event occurred, investi
Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000093-WSR-000053, SRG-APP-000095-WSR-000056, SRG-APP-000096-WSR-000057, SRG-APP-000097-WSR-000058, SRG-APP-000097-WSR-000059</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100105
Date,Time,ClientIP,UserName,Method,UriQuery,HttpStatus,Referer
@@ -371,6 +386,7 @@ In IIS 10.0, the administrator has the option of sending logging information to
Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166, SRG-APP-000358-WSR-000063</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100107
@@ -396,6 +412,7 @@ Ascertaining the success or failure of an event is important during forensic ana
Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100111
RequestHeader
@@ -430,6 +447,7 @@ Determining user accounts, processes running on behalf of the user, and running
Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100113
RequestHeader
@@ -467,6 +485,7 @@ Ascertaining the correct source (e.g., source IP), of the events is important du
A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every loggable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100109
False
Interview the System Administrator to review the configuration of the IIS 10.0 architecture and determine if inbound web traffic is passed through a proxy.
@@ -497,6 +516,7 @@ If provisions have been made to log the client IP via another field (i.e., utili
Satisfies: SRG-APP-000120-WSR-000070, SRG-APP-000118-WSR-000068, SRG-APP-000118-WSR-000069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100115
False
This check does not apply to service account IDs utilized by automated services necessary to process, manage, and store log files.
@@ -515,6 +535,7 @@ Administrators - Full Control
<VulnDiscussion>Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system, or onto separate media than the system on which the web server is running, helps to ensure the log records will be retained in the event of a catastrophic system failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100117
False
The IIS 10.0 web server and website log files should be backed up by the system backup.
@@ -540,6 +561,7 @@ If the paths of all log files are not part of the system backup and/or not backe
<VulnDiscussion>A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that also proxy requests into an otherwise protected network is a common attack, making the attack anonymous.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100123
False
Open the IIS 10.0 Manager.
@@ -560,6 +582,7 @@ If “Enable proxy" is selected under the "Application Request Routing" settings
<VulnDiscussion>Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e., compiled code, scripts, web content, etc.). Delete all directories containing samples and any scripts used to execute the samples.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100125
False
Navigate to the following folders:
@@ -578,6 +601,7 @@ These accounts become inactive, are not monitored through regular use, and passw
The accounts used for web server features not installed must not be created and must be deleted when these features are uninstalled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100127
False
Access the IIS 10.0 web server.
@@ -596,6 +620,7 @@ If any local accounts are present and were created by features which have been u
Individual productivity tools have no legitimate place or use on an enterprise production web server and are prone to security risks. The web server installation process must provide options allowing the installer to choose which utility programs, services, and modules are to be installed or removed. By having a process for installation and removal, the web server is guaranteed to be in a more stable and secure state than if these services and programs were installed and removed manually.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100129
False
Consult with the System Administrator and review all of the IIS 10.0 and Operating System features installed.
@@ -610,6 +635,7 @@ If any unnecessary Operating System features are installed, this is a finding.<VulnDiscussion>This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the website to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid, and therefore; the entire purpose of using a certificate is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100135
False
Open the IIS 10.0 Manager.
@@ -630,6 +656,7 @@ Some mobile code technologies in use in today's applications are: Java, JavaScri
Source code for a Java program is often stored in files with either .java or .jpp file extensions. From the .java and .jpp files the Java compiler produces a binary file with an extension of .class. The .java or .jpp file could therefore reveal sensitive information regarding an application's logic and permissions to resources on the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100137
False
Search the system for files with either .java or .jpp extensions.
@@ -642,6 +669,7 @@ If files with .java or .jpp extensions are found, this is a finding.
By moving the management functionality, the possibility of accidental discovery of the management functions by non-privileged users during hosted application use is minimized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100141
False
Review the IIS 10.0 web server configuration with the System Administrator.
@@ -662,6 +690,7 @@ If the IIS 10.0 web server management and the application's management functiona
A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as non-secure zones. Non-secure zones are defined as any IP, subnet, or region defined as a threat to the organization. The non-secure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from non-secure zones through internal web server access lists, the web server can stop or slow denial of service (DoS) attacks on the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100159
False
Note: This requirement applies to the Web Management Service. If the Web Management Service is not installed, this is Not Applicable.
@@ -684,6 +713,7 @@ If "IP Address Restrictions" are not configured or IP ranges configured to "Allo
<VulnDiscussion>The use of IPP on an IIS web server allows client access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, since IPP does not support SSL, it is considered a risk and will not be deployed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100171
False
If the Print Services role and the Internet Printing role are not installed, this check is Not Applicable.
@@ -710,6 +740,7 @@ The first things an attacker will try when presented with a logon screen are the
Service accounts or system accounts that have no logon capability do not need to have passwords set or changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100181
False
Access the IIS 10.0 web server.
@@ -728,6 +759,7 @@ If passwords have not been changed from the default, this is a finding.<VulnDiscussion>Authorization rules can be configured at the server, website, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access to the necessary security principals. Configuring a global Authorization rule that restricts access ensures inheritance of the settings down through the hierarchy of web directories. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of unauthorized access. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100185
False
Open the IIS 10.0 Manager.
@@ -744,6 +776,7 @@ If .NET is not installed, this is Not Applicable.
<VulnDiscussion>Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a Denial of Service (DoS) attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100187
False
Access the IIS 10.0 IIS Manager.
@@ -765,6 +798,7 @@ If the maxconnections parameter is set to zero, this is a finding.
<VulnDiscussion>HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Whitelist". If the browser does not support HSTS, it will be ignored.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100189
False
Access the IIS 10.0 Web Server.
@@ -797,6 +831,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.exe
False
+ V-100131
application/octet-stream
False
@@ -818,6 +853,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.dll
False
+ V-100131
application/x-msdownload
False
@@ -839,6 +875,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.com
False
+ V-100131
application/octet-stream
False
@@ -860,6 +897,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.bat
False
+ V-100131
application/x-bat
False
@@ -881,6 +919,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.csh
False
+ V-100131
application/x-csh
False
@@ -963,6 +1002,7 @@ If any OS shell MIME types are configured, this is a finding.
True
False
+ V-100163
False
%SystemDrive%\inetpub
@@ -992,6 +1032,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
+ V-100177.a
False
Access the IIS 10.0 Web Server.
@@ -1028,6 +1069,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
+ V-100177.b
False
Access the IIS 10.0 Web Server.
@@ -1064,6 +1106,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
+ V-100177.c
False
Access the IIS 10.0 Web Server.
@@ -1100,6 +1143,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
+ V-100177.d
False
Access the IIS 10.0 Web Server.
@@ -1136,6 +1180,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
+ V-100177.e
False
Access the IIS 10.0 Web Server.
@@ -1172,6 +1217,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
+ V-100177.f
False
Access the IIS 10.0 Web Server.
@@ -1208,6 +1254,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
+ V-100177.g
False
Access the IIS 10.0 Web Server.
@@ -1244,6 +1291,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
+ V-100177.h
False
Access the IIS 10.0 Web Server.
@@ -1280,6 +1328,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
+ V-100177.i
False
Access the IIS 10.0 Web Server.
@@ -1322,6 +1371,7 @@ Satisfies: SRG-APP-000223-WSR-000011, SRG-APP-000220-WSR-000201</VulnDiscussi
False
cookieless
+ V-100143
False
Open the IIS 10.0 Manager.
@@ -1349,6 +1399,7 @@ When using the URI mode for cookie settings under session state, IIS will reject
False
timeout
+ V-100145
True
'{0}' -le '00:20:00'
Under Time-out (in minutes), verify “20 minutes or less” is selected.
@@ -1363,6 +1414,7 @@ When using the URI mode for cookie settings under session state, IIS will reject
V-218804
False
cookieless
+ V-100145
False
From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".
@@ -1375,6 +1427,7 @@ Verify the "cookieless" is set to "UseCookies".
False
validation
+ V-100149
False
Open the IIS 10.0 Manager.
@@ -1391,6 +1444,7 @@ Verify "HMACSHA256"
False
decryption
+ V-100149
False
Open the IIS 10.0 Manager.
@@ -1407,6 +1461,7 @@ If .NET is not installed, this is Not Applicable.
False
enabled
+ V-100151
False
Open the IIS 10.0 Manager.
@@ -1426,6 +1481,7 @@ If “Directory Browsing” is not disabled, this is a finding.
False
errormode
+ V-100155
False
Open the IIS 10.0 Manager.
@@ -1445,6 +1501,7 @@ If the feature setting is not set to “Detailed errors for local requests and c
False
keepSessionIdSecure
+ V-100175
False
Open the IIS 10.0 Manager.
@@ -1468,6 +1525,7 @@ If the "keepSessionIdSecure" is not set to "True", this is a finding.
False
notListedCgisAllowed
+ V-100183
False
Open the IIS 10.0 Manager.
@@ -1483,6 +1541,7 @@ Verify the "Allow unspecified CGI modules" check box is not checked
False
notListedIsapisAllowed
+ V-100183
False
Open the IIS 10.0 Manager.
@@ -1501,6 +1560,7 @@ WebDAV is not widely used and has serious security concerns because it may allow
Absent
False
+ V-100133
Web-DAV-Publishing
False
diff --git a/source/StigData/Processed/IISServer-8.5-2.1.xml b/source/StigData/Processed/IISServer-8.5-2.1.xml
index 822f454cd..f7b1ee70f 100644
--- a/source/StigData/Processed/IISServer-8.5-2.1.xml
+++ b/source/StigData/Processed/IISServer-8.5-2.1.xml
@@ -1,4 +1,4 @@
-
+
<VulnDiscussion>Logging onto a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.
@@ -6,6 +6,7 @@
An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76679
False
If web administration is performed at the console, this check is NA.
@@ -38,6 +39,7 @@ If remote management is utilized and does not meet the criteria listed above, th
The web server contains a minimal user management function, but the web server user management function does not offer enterprise-wide user management, and user management is not the primary function of the web server. User management for the hosted applications should be done through a facility that is built for enterprise-wide user management, like LDAP and Active Directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76699
False
Interview the System Administrator about the role of the IIS 8.5 web server.
@@ -56,6 +58,7 @@ If the IIS 8.5 web server is hosting an application and the SA cannot provide su
The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76701
False
Click on “Start”.
@@ -74,6 +77,7 @@ Note: If additional software is needed supporting documentation must be signed b
<VulnDiscussion>As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. This is in addition to the anonymous web user account. The resources to which these accounts have access must also be closely monitored and controlled. Only the SA needs access to all the system’s capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. The anonymous web user account must not have access to system resources as that account could then control the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76719
False
Obtain a list of the user accounts with access to the system, including all local and domain accounts.
@@ -94,6 +98,7 @@ If undocumented non-administrator access to shell scripts and operating system f
When the web server does not offer a method to roll back to a clean baseline, external methods, such as a baseline snapshot or virtualizing the web server, can be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76729
False
Interview the System Administrator for the IIS 8.5 web server.
@@ -106,6 +111,7 @@ If documentation for a disaster recovery has not been established, this is a fin
<VulnDiscussion>The indexing service can be used to facilitate a search function for websites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76735
False
Access the IIS 8.5 Web Server.
@@ -126,6 +132,7 @@ If so, this is a finding.
<VulnDiscussion>Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76739
False
If web administration is performed at the console, this check is Not Applicable.
@@ -160,6 +167,7 @@ The web server must provide a capability to disconnect users to a hosted applica
The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76743
False
Interview the System Administrator and Web Manager.
@@ -190,6 +198,7 @@ If the web server is not capable of or cannot be configured to disconnect or dis
The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76747
False
Open the IIS 8.5 Manager.
@@ -220,6 +229,7 @@ The key web service administrative and configuration tools must only be accessib
Satisfies: SRG-APP-000380-WSR-000072, SRG-APP-000435-WSR-000147, SRG-APP-000033-WSR-000169</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76749
False
Right-click InetMgr.exe, then click “Properties” from the “Context” menu.
@@ -253,6 +263,7 @@ If any other access is observed, this is a finding.
The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76751
False
Review programs installed on the OS.
@@ -277,6 +288,7 @@ Note: If additional software is needed and has supporting documentation signed b
<VulnDiscussion>A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condition even with expected traffic from users. To avoid a DoS, the web server must be tuned to handle the expected traffic for the hosted applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76755
False
If the IIS 8.5 web server is not hosting any applications, this is Not Applicable.
@@ -306,6 +318,7 @@ If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" a
NIST SP 800-52 defines the approved TLS versions for government applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76761
False
Review the web server documentation and deployed configuration to determine which version of TLS is being used.
@@ -316,6 +329,7 @@ If the TLS version is not TLS 1.2 or higher, according to NIST SP 800-52, or if
<VulnDiscussion>Anonymous SMTP relays are strictly prohibited. An anonymous SMTP relay can be a vector for many types of malicious activity not limited to server exploitation for the sending of SPAM mail, access to emails, phishing, DoS attacks, etc. Enabling TLS, authentication, and strictly assigning IP addresses that can communicate with the relay greatly reduce the risk of the implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-102893
False
Interview the System Administrator about the role of the IIS 8.5 web server.
@@ -340,6 +354,7 @@ Without sufficient information establishing when the log event occurred, investi
Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000093-WSR-000053, SRG-APP-000095-WSR-000056, SRG-APP-000096-WSR-000057, SRG-APP-000097-WSR-000058, SRG-APP-000097-WSR-000059</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76681
Date,Time,ClientIP,UserName,Method,UriQuery,HttpStatus,Referer
@@ -367,6 +382,7 @@ In IIS 8.5, the administrator has the option of sending logging information to E
Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166, SRG-APP-000358-WSR-000063</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76683
@@ -392,6 +408,7 @@ Ascertaining the success or failure of an event is important during forensic ana
Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76687
RequestHeader
@@ -435,6 +452,7 @@ Determining user accounts, processes running on behalf of the user, and running
Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76689
RequestHeader
@@ -473,6 +491,7 @@ Ascertaining the correct source, e.g. source IP, of the events is important duri
A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76685
False
Interview the System Administrator to review the configuration of the IIS 8.5 architecture and determine if inbound web traffic is passed through a proxy.
@@ -501,6 +520,7 @@ If provisions have been made to log the client IP via another field (i.e., utili
<VulnDiscussion>A major tool in exploring the website use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76695
False
This check does not apply to service account IDs utilized by automated services necessary to process, manage, and store log files.
@@ -524,6 +544,7 @@ If log access is not restriced as listed above, this is a finding.
<VulnDiscussion>Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76697
False
The IIS 8.5 web server and website log files should be backed up by the system backup.
@@ -550,6 +571,7 @@ If the paths of all log files are not part of the system backup and/or not backe
<VulnDiscussion>A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76703
False
Open the IIS 8.5 Manager.
@@ -570,6 +592,7 @@ If “Enable proxy" is selected under the "Application Request Routing" settings
<VulnDiscussion>Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e., compiled code, scripts, web content, etc.). Delete all directories containing samples and any scripts used to execute the samples.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76705
False
Navigate to the following folders:
@@ -588,6 +611,7 @@ These accounts become inactive, are not monitored through regular use, and passw
The accounts used for web server features not installed must not be created and must be deleted when these features are uninstalled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76707
False
Access the IIS 8.5 web server.
@@ -606,6 +630,7 @@ If any local accounts are present and were created by features which have been u
Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks. The web server installation process must provide options allowing the installer to choose which utility programs, services, and modules are to be installed or removed. By having a process for installation and removal, the web server is guaranteed to be in a more stable and secure state than if these services and programs were installed and removed manually.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76709
False
Consult with the System Administrator and review all of the IIS 8.5 and Operating System features installed.
@@ -620,6 +645,7 @@ If any unnecessary Operating System features are installed, this is a finding.<VulnDiscussion>This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the website to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76715
False
Open the IIS 8.5 Manager.
@@ -636,6 +662,7 @@ Some mobile code technologies in use in today's applications are: Java, JavaScri
Source code for a Java program is, many times, stored in files with either .java or .jpp file extensions. From the .java and .jpp files the Java compiler produces a binary file with an extension of .class. The .java or .jpp file could therefore reveal sensitive information regarding an application's logic and permissions to resources on the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76717
False
Search the system for files with either .java or .jpp extensions.
@@ -648,6 +675,7 @@ If files with .java or .jpp extensions are found, this is a finding.
By moving the management functionality, the possibility of accidental discovery of the management functions by non-privileged users during hosted application use is minimized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76721
False
Review the IIS 8.5 web server configuration with the System Administrator.
@@ -666,6 +694,7 @@ If the IIS 8.5 web server management and the application's management functional
A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76741
False
Note: This requirement applies to the Web Management Service. If the Web Management Service is not installed, this is Not Applicable.
@@ -688,6 +717,7 @@ If "IP Address Restrictions" are not configured or IP ranges configured to be "A
<VulnDiscussion>The use of Internet Printing Protocol (IPP) on an IIS web server allows client’s access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, since IPP does not support SSL, it is considered a risk and will not be deployed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76753
False
If the Print Services role and the Internet Printing role are not installed, this check is Not Applicable.
@@ -714,6 +744,7 @@ The first things an attacker will try when presented with a logon screen are the
Service accounts or system accounts that have no logon capability do not need to have passwords set or changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76765
False
Access the IIS 8.5 web server.
@@ -732,6 +763,7 @@ If passwords have not been changed from the default, this is a finding.<VulnDiscussion>Authorization rules can be configured at the server, website, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access to the necessary security principals. Configuring a global Authorization rule that restricts access ensures inheritance of the settings down through the hierarchy of web directories. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76771
False
Open the IIS 8.5 Manager.
@@ -750,6 +782,7 @@ If the server is hosting WSUS, this is Not Applicable.
<VulnDiscussion>Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-95633
False
Access the IIS 8.5 IIS Manager.
@@ -779,6 +812,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.exe
False
+ V-76711
application/octet-stream
False
@@ -800,6 +834,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.dll
False
+ V-76711
application/x-msdownload
False
@@ -821,6 +856,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.com
False
+ V-76711
application/octet-stream
False
@@ -842,6 +878,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.bat
False
+ V-76711
application/x-bat
False
@@ -863,6 +900,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.csh
False
+ V-76711
application/x-csh
False
@@ -945,6 +983,7 @@ If any OS shell MIME types are configured, this is a finding.
True
False
+ V-76745
False
%SystemDrive%\inetpub
@@ -973,6 +1012,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
+ V-76759.a
False
Access the IIS 8.5 Web Server.
@@ -1010,6 +1050,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
+ V-76759.b
False
Access the IIS 8.5 Web Server.
@@ -1047,6 +1088,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
+ V-76759.c
False
Access the IIS 8.5 Web Server.
@@ -1084,6 +1126,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
+ V-76759.d
False
Access the IIS 8.5 Web Server.
@@ -1121,6 +1164,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
+ V-76759.e
False
Access the IIS 8.5 Web Server.
@@ -1158,6 +1202,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
+ V-76759.f
False
Access the IIS 8.5 Web Server.
@@ -1195,6 +1240,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
+ V-76759.g
False
Access the IIS 8.5 Web Server.
@@ -1232,6 +1278,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
+ V-76759.h
False
Access the IIS 8.5 Web Server.
@@ -1269,6 +1316,7 @@ NIST SP 800-52 specifies the preferred configurations for government systems.<
Present
False
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
+ V-76759.i
False
Access the IIS 8.5 Web Server.
@@ -1308,6 +1356,7 @@ Cookies associate session information with client information for the duration o
False
cookieless
+ V-76725
False
Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.
@@ -1336,6 +1385,7 @@ Cookies associate session information with client information for the duration o
V-214419
False
cookieless
+ V-76727
False
Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.
@@ -1359,6 +1409,7 @@ Cookies associate session information with client information for the duration o
False
timeout
+ V-76727
True
'{0}' -le '00:20:00'
Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.
@@ -1380,6 +1431,7 @@ If the "Use Cookies” mode is selected and Time-out (in minutes) is configured
False
validation
+ V-76731
False
If .NET is not installed, this is Not Applicable.
@@ -1396,6 +1448,7 @@ Verify "HMACSHA256"
False
decryption
+ V-76731
False
If .NET is not installed, this is Not Applicable.
@@ -1412,6 +1465,7 @@ If "HMACSHA256" or stronger encryption is not selected for the Validation method
False
enabled
+ V-76733
False
If the Directory Browsing IIS Feature is disabled, this is Not Applicable.
@@ -1430,6 +1484,7 @@ If “Directory Browsing” is not disabled, this is a finding.
False
errormode
+ V-76737
False
Open the IIS 8.5 Manager.
@@ -1449,6 +1504,7 @@ If the feature setting is not set to “Detailed errors for local requests and c
False
keepSessionIdSecure
+ V-76757
False
Open the IIS 8.5 Manager.
@@ -1472,6 +1528,7 @@ If the "keepSessionIdSecure" is not set to "True", this is a finding.
False
notListedCgisAllowed
+ V-76769
False
Open the IIS 8.5 Manager.
@@ -1487,6 +1544,7 @@ Verify the "Allow unspecified CGI modules" check box is not checked
False
notListedIsapisAllowed
+ V-76769
False
Open the IIS 8.5 Manager.
@@ -1505,6 +1563,7 @@ WebDAV is not widely used and has serious security concerns because it may allow
Absent
False
+ V-76713
Web-DAV-Publishing
False
diff --git a/source/StigData/Processed/IISSite-10.0-2.1.xml b/source/StigData/Processed/IISSite-10.0-2.1.xml
index 6d542c110..2d8e799b8 100644
--- a/source/StigData/Processed/IISSite-10.0-2.1.xml
+++ b/source/StigData/Processed/IISSite-10.0-2.1.xml
@@ -1,4 +1,4 @@
-
+
<VulnDiscussion>IIS 10.0 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 10.0, Request Filtering and Handler Mappings.
@@ -6,6 +6,7 @@
For Handler Mappings, the ISSO must document and approve all allowable file extensions the website allows (white list) and denies (black list). The white list and black list will be compared to the Handler Mappings in IIS 8. Handler Mappings at the site level take precedence over Handler Mappings at the server level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100209
False
For Handler Mappings, the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list). The white list and black list will be compared to the Handler Mappings in IIS 10.0. Handler Mappings at the site level take precedence over Handler Mappings at the server level.
@@ -24,6 +25,7 @@ If any script file extensions from the black list are enabled, this is a finding
For Request Filtering, the ISSO must document and approve all allowable file extensions the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the Request Filtering in IIS 10.0. Request Filtering at the site level take precedence over Request Filtering at the server level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100211
False
For Request Filtering, the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list). The white list and black list will be compared to the Request Filtering in IIS 10.0. Request Filtering at the site level take precedence over Request Filtering at the server level.
@@ -44,6 +46,7 @@ If any script file extensions from the black list are not denied, this is a find
Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100217
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -70,6 +73,7 @@ The web server must provide a capability to disconnect users to a hosted applica
The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100249
False
Interview the System Administrator and Web Manager.
@@ -100,6 +104,7 @@ If there are not documented procedures with, at a minimum, the mentioned steps f
The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100251
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -130,6 +135,7 @@ Failure to comply with DoD ports, protocols, and services (PPS) requirements can
The ISSM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, PPSM, and the associated PPS Assurance Category Assignments List.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100253
False
Review the website to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM.
@@ -154,6 +160,7 @@ In IIS 10.0, the administrator has the option of sending logging information to
Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100199
@@ -184,6 +191,7 @@ Ascertaining the success or failure of an event is important during forensic ana
Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100203
RequestHeader
@@ -226,6 +234,7 @@ Determining user accounts, processes running on behalf of the user, and running
Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100205
RequestHeader
@@ -272,6 +281,7 @@ Ascertaining the correct source (e.g., source IP), of the events is important du
A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every loggable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100201
False
Interview the System Administrator to review the configuration of the IIS 10.0 architecture and determine if inbound web traffic is passed through a proxy.
@@ -300,6 +310,7 @@ If provisions have been made to log the client IP via another field (i.e., utili
<VulnDiscussion>Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data stored on the web server must be evaluated and a determination made concerning authorized access to information and programs on the server. Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100221
False
Check the account used for anonymous access to the website.
@@ -349,6 +360,7 @@ If the IUSR account or any account noted above used for anonymous access is a me
<VulnDiscussion>The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file, the risk for unauthorized access to these protected files is increased. Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100225
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -369,6 +381,7 @@ Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not ot
<VulnDiscussion>The use of a DoD PKI certificate ensures clients the private website they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100255
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -395,6 +408,7 @@ If HTTPS is not an available type under site bindings, and the Web Server ONLY c
<VulnDiscussion>Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100263
False
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -413,6 +427,7 @@ If any Application Pools are being used for more than one website, this is a fin
<VulnDiscussion>CGI and ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI and ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the System Administrator (SA) control over what goes into those folders and to facilitate access control at the folder level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100279
False
Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vbs, .class, .c, .php, and .asp.
@@ -433,6 +448,7 @@ If scripts are not segregated from web content and in their own unique folders,
The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the System Administrator (SA) or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100281
False
Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, and .asp.
@@ -465,6 +481,7 @@ If the permissions are less restrictive than listed above, this is a finding.<VulnDiscussion>Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today to search web servers for such files and are able to exploit the information contained in them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100283
False
Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. The scope of this requirement is to analyze only within the web server content directories, not the entire underlying operating system.
@@ -485,6 +502,7 @@ If files with these extensions are found, this is a finding.
<VulnDiscussion>A consent banner will be in place to inform prospective entrants the website they are about to enter is a DoD website and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100285
False
Note: This requirement is only applicable for private DoD websites.
@@ -527,6 +545,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.exe
False
+ V-100207
application/octet-stream
False
@@ -549,6 +568,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.dll
False
+ V-100207
application/x-msdownload
False
@@ -571,6 +591,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.com
False
+ V-100207
application/octet-stream
False
@@ -593,6 +614,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.bat
False
+ V-100207
application/x-bat
False
@@ -615,6 +637,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.csh
False
+ V-100207
application/x-csh
False
@@ -635,6 +658,7 @@ If any OS shell MIME types are configured, this is a finding.
NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100195
False
Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable.
@@ -657,6 +681,7 @@ If the "Require SSL" check box is not selected, this is a finding.
NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
V-218737
False
+ V-100197
False
Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable.
@@ -680,6 +705,7 @@ If the "Require SSL" check box is not selected, this is a finding.
Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100219
False
Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable.
@@ -702,6 +728,7 @@ If the "Clients Certificate Required" check box is not selected, this is a findi
Satisfies: SRG-APP-000429-WSR-000113, SRG-APP-000439-WSR-000151, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-100257
False
Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server.
@@ -737,6 +764,7 @@ By default, the World Wide Web (WWW) service establishes an overlapped recycle,
False
idleTimeout
+ V-100245
True
[TimeSpan]{0} -le [TimeSpan]'00:20:00' -and [TimeSpan]{0} -gt [TimeSpan]'00:00:00'
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -755,6 +783,7 @@ If the "Idle Time-out" is set to "0", this is a finding.
False
restartRequestsLimit
+ V-100265
True
{0} -ne 0
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -780,6 +809,7 @@ If the "Request Limit" is set to a value of "0", this is a finding.
False
restartMemoryLimit
+ V-100267
True
{0} -ne 0
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -805,6 +835,7 @@ If the value for "Virtual Memory Limit" is set to "0", this is a finding.
False
restartPrivateMemoryLimit
+ V-100269
True
{0} -ne 0
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -830,6 +861,7 @@ If the "Private Memory Limit" is set to a value of "0", this is a finding.
False
logEventOnRecycle
+ V-100271
False
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -856,6 +888,7 @@ If both the "Regular time interval" and "Specific time" options are not set to "
False
pingingEnabled
+ V-100273
False
Open the Internet Information Services (IIS) Manager.
@@ -876,6 +909,7 @@ If the value for "Ping Enabled" is not set to "True", this is a finding.
False
rapidFailProtection
+ V-100275
False
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -900,6 +934,7 @@ If the "Rapid Fail Protection:Enabled" is not set to "True", this is a finding.<
False
rapidFailProtectionInterval
+ V-100277
True
[TimeSpan]{0} -le [TimeSpan]'00:05:00'
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -932,6 +967,7 @@ ASP.NET provides a session state, which is available as the HttpSessionState cla
False
mode
+ V-100191
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -973,6 +1009,7 @@ When using the URI mode for cookie settings under session state, IIS will reject
False
cookieless
+ V-100193
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1001,6 +1038,7 @@ The session ID generator must be a FIPS 140-2-approved generator.</VulnDiscus
V-218735
False
mode
+ V-100223
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1036,6 +1074,7 @@ If the system being reviewed is part of a Web Farm, interview the System Adminis
False
maxUrl
+ V-100227
True
{0} -le 4096
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1058,6 +1097,7 @@ If the "maxUrl" value is not set to "4096" or less, this is a finding.
False
maxAllowedContentLength
+ V-100229
True
{0} -le 30000000
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1080,6 +1120,7 @@ If the "maxAllowedContentLength" value is not explicitly set to "30000000" or le
False
maxQueryString
+ V-100231
True
{0} -le 2048
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1102,6 +1143,7 @@ If the "Maximum Query String" value is not set to "2048" or less, this is a find
False
allowHighBitCharacters
+ V-100233
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1125,6 +1167,7 @@ Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not ot
False
allowDoubleEscaping
+ V-100235
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1146,6 +1189,7 @@ If the "Allow double escaping" check box is checked, this is a finding.
False
allowUnlisted
+ V-100237
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1169,6 +1213,7 @@ Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not ot
False
enabled
+ V-100239
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1190,6 +1235,7 @@ If "Directory Browsing" is not "Disabled", this is a finding.
False
errormode
+ V-100241
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1211,6 +1257,7 @@ If any error message is not set to "Detailed errors for local requests and custo
False
debug
+ V-100243
False
Note: If the ".NET feature" is not installed, this check is Not Applicable.
@@ -1236,6 +1283,7 @@ Acceptable values are 5 minutes for high-value applications, 10 minutes for medi
False
timeout
+ V-100247
True
'{0}' -le '00:20:00'
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1261,6 +1309,7 @@ If "timeout" is not set to "00:20:00 or less”, this is a finding.
False
keepSessionIdSecure
+ V-100259
False
Follow the procedures below for each site hosted on the IIS 10.0 web server:
@@ -1288,6 +1337,7 @@ Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155, SRG-APP-000439-
False
requireSSL
+ V-100261
False
From the "Section:" drop-down list, select "system.web/httpCookies".
@@ -1302,6 +1352,7 @@ Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155, SRG-APP-000439-
False
compressionEnabled
+ V-100261
False
From the "Section:" drop-down list, select "system.web/sessionState".
@@ -1317,6 +1368,7 @@ WebDAV is not widely used and has serious security concerns because it may allow
Absent
False
+ V-100213
Web-DAV-Publishing
False
diff --git a/source/StigData/Processed/IISSite-8.5-2.1.xml b/source/StigData/Processed/IISSite-8.5-2.1.xml
index def20de87..1dfca8ea8 100644
--- a/source/StigData/Processed/IISSite-8.5-2.1.xml
+++ b/source/StigData/Processed/IISSite-8.5-2.1.xml
@@ -1,4 +1,4 @@
-
+
<VulnDiscussion>IIS 8.5 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 8.5, “Request Filtering” and "Handler Mappings".
@@ -6,6 +6,7 @@
For "Request Filtering", the ISSO must document and approve all allowable file extensions the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Request Filtering" in IIS 8. "Request Filtering" at the site level take precedence over "Request Filtering" at the server level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76799
False
For Handler Mappings, the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list). The white list and black list will be compared to the Handler Mappings in IIS 8.5. Handler Mappings at the site level take precedence over Handler Mappings at the server level.
@@ -26,6 +27,7 @@ By not specifying which files can and which files cannot be served to a user, th
The web server must only allow hosted application file types to be served to a user and all other types must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76801
False
For Request Filtering, the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list). The white list and black list will be compared to the Request Filtering in IIS 8.5. Request Filtering at the site level take precedence over Request Filtering at the server level.
@@ -44,6 +46,7 @@ If any script file extensions from the black list are not denied, this is a find
Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76807
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -68,6 +71,7 @@ The web server must provide a capability to disconnect users to a hosted applica
The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76843
False
Interview the System Administrator and Web Manager.
@@ -98,6 +102,7 @@ If there are not documented procedures with, at a minimum, the mentioned steps f
The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76845
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -128,6 +133,7 @@ Failure to comply with DoD ports, protocols, and services (PPS) requirements can
The ISSM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76847
False
Review the website to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM.
@@ -154,6 +160,7 @@ Without sufficient information establishing when the log event occurred, investi
Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000093-WSR-000053</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76783
Date,Time,ClientIP,UserName,Method,UriQuery,HttpStatus,Referer
@@ -183,6 +190,7 @@ In IIS 8.5, the administrator has the option of sending logging information to E
Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76785
@@ -210,6 +218,7 @@ Ascertaining the success or failure of an event is important during forensic ana
Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76789
RequestHeader
@@ -252,6 +261,7 @@ Determining user accounts, processes running on behalf of the user, and running
Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76791
RequestHeader
@@ -298,6 +308,7 @@ Ascertaining the correct source, e.g. source IP, of the events is important duri
A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76787
False
Interview the System Administrator to review the configuration of the IIS 8.5 architecture and determine if inbound web traffic is passed through a proxy.
@@ -326,6 +337,7 @@ If provisions have been made to log the client IP via another field (i.e., utili
<VulnDiscussion>Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76811
False
Check the account used for anonymous access to the website.
@@ -379,6 +391,7 @@ By being able to guess session IDs, an attacker can easily perform a man-in-the-
The session ID generator also needs to be a FIPS 140-2-approved generator.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76813
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -411,6 +424,7 @@ If the system being reviewed is part of a Web Farm, interview the System Adminis
<VulnDiscussion>The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file the risk for unauthorized access to these protected files is increased. Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76815
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -429,6 +443,7 @@ If the Path is on the same partition as the OS, this is a finding.
<VulnDiscussion>The use of a DoD PKI certificate ensures clients the private website they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76849
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -457,6 +472,7 @@ For systems with load balancers that perform SSL offloading, this is Not Applica
<VulnDiscussion>Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76865
False
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -475,6 +491,7 @@ If any Application Pools are being used for more than one website, this is a fin
<VulnDiscussion>CGI and ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI and ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the SA control over what goes into those folders and to facilitate access control at the folder level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76885
False
Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vbs, .class, .c, .php, and .asp.
@@ -495,6 +512,7 @@ If scripts are not segregated from web content and in their own unique folders,
The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76887
False
Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx.
@@ -526,6 +544,7 @@ If the permissions are less restrictive than listed above, this is a finding.<VulnDiscussion>Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today to search web servers for such files and are able to exploit the information contained in them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76889
False
Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx.
@@ -546,6 +565,7 @@ If files with these extensions are found, this is a finding.
<VulnDiscussion>A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76891
False
Note: This requirement is only applicable for private DoD websites.
@@ -588,6 +608,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.exe
False
+ V-76797
application/octet-stream
False
@@ -610,6 +631,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.dll
False
+ V-76797
application/x-msdownload
False
@@ -632,6 +654,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.com
False
+ V-76797
application/octet-stream
False
@@ -654,6 +677,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.bat
False
+ V-76797
application/x-bat
False
@@ -676,6 +700,7 @@ A shell is a program that serves as the basic interface between the user and the
Absent
.csh
False
+ V-76797
application/x-csh
False
@@ -696,6 +721,7 @@ If any OS shell MIME types are configured, this is a finding.
NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76779
False
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
@@ -720,6 +746,7 @@ If the "Require SSL" check box is not selected, this is a finding.
NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
V-214446
False
+ V-76781
False
Note: If the server being reviewed is a private IIS 8.5 web server, this is Not Applicable.
@@ -741,6 +768,7 @@ If the "Require SSL" check box is not selected, this is a finding.
Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76809
False
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
@@ -767,6 +795,7 @@ If data is transmitted unencrypted, the data then becomes vulnerable to disclosu
Also satisfies: SRG-APP-000439-WSR-000151</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
False
+ V-76851
False
Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 8.5 server, and the IIS 8.5 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server.
@@ -803,6 +832,7 @@ The web server must utilize approved encryption when receiving transmitted data.
Also satisfies: SRG-APP-000442-WSR-000182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
V-214480
False
+ V-76861
False
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
@@ -836,6 +866,7 @@ By default, the World Wide Web (WWW) service establishes an overlapped recycle,
False
idleTimeout
+ V-76839
True
[TimeSpan]{0} -le [TimeSpan]'00:20:00' -and [TimeSpan]{0} -gt [TimeSpan]'00:00:00'
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -855,6 +886,7 @@ If the "Idle Time-out" is set to "0", this is a finding.
False
restartRequestsLimit
+ V-76867
True
{0} -ne 0
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -880,6 +912,7 @@ If the "Request Limit" is set to a value of "0", this is a finding.
False
restartMemoryLimit
+ V-76869
True
{0} -ne 0
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -905,6 +938,7 @@ If the value for "Virtual Memory Limit" is set to "0", this is a finding.
False
restartPrivateMemoryLimit
+ V-76871
True
{0} -ne 0
Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.
@@ -930,6 +964,7 @@ If the "Private Memory Limit" is set to a value of "0", this is a finding.
False
logEventOnRecycle
+ V-76873
False
Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III.
@@ -954,6 +989,7 @@ If both the "Regular time interval" and "Specific time" options are not set to "
False
queueLength
+ V-76875
True
{0} -le 1000
Open the IIS 8.5 Manager.
@@ -975,6 +1011,7 @@ If the "Queue Length" is set to "1000" or less, this is not a finding.
False
pingingEnabled
+ V-76877
False
Open the Internet Information Services (IIS) Manager.
@@ -995,6 +1032,7 @@ If the value for "Ping Enabled" is not set to "True", this is a finding.
False
rapidFailProtection
+ V-76879
False
Open the IIS 8.5 Manager.
@@ -1015,6 +1053,7 @@ If the "Rapid Fail Protection:Enabled" is not set to "True", this is a finding.<
False
rapidFailProtectionInterval
+ V-76881
True
[TimeSpan]{0} -le [TimeSpan]'00:05:00'
Open the IIS 8.5 Manager.
@@ -1043,6 +1082,7 @@ ASP.NET provides a session state, which is available as the HttpSessionState cla
False
mode
+ V-76775
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1084,6 +1124,7 @@ Cookies associate session information with client information for the duration o
False
cookieless
+ V-76777
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1108,6 +1149,7 @@ Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does
False
maxUrl
+ V-76817
True
{0} -le 4096
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1130,6 +1172,7 @@ If the "maxUrl" value is not set to "4096" or less, this is a finding.
False
maxAllowedContentLength
+ V-76819
True
{0} -le 30000000
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1153,6 +1196,7 @@ If the "maxAllowedContentLength" value is not explicitly set to "30000000" or le
False
maxQueryString
+ V-76821
True
{0} -le 2048
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1175,6 +1219,7 @@ If the "Maximum Query String" value is not set to "2048" or less, this is a find
False
allowHighBitCharacters
+ V-76823
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1196,6 +1241,7 @@ If the "Allow high-bit characters" check box is checked, this is a finding.
False
allowDoubleEscaping
+ V-76825
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1217,6 +1263,7 @@ If the "Allow double escaping" check box is checked, this is a finding.
False
allowUnlisted
+ V-76827
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1238,6 +1285,7 @@ If "Allow unlisted file name extensions" check box is checked, this is a finding
False
enabled
+ V-76829
False
Note: If the Directory Browsing feature is not enabled, this is Not Applicable.
@@ -1261,6 +1309,7 @@ If "Directory Browsing" is not "Disabled", this is a finding.
False
errormode
+ V-76835
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1282,6 +1331,7 @@ If any error message is not set to “Detailed errors for local requests and cus
False
debug
+ V-76837
False
Note: If the ".NET feature" is not installed, this check is Not Applicable.
@@ -1307,6 +1357,7 @@ Acceptable values are 5 minutes for high-value applications, 10 minutes for medi
False
timeout
+ V-76841
True
'{0}' -le '00:20:00'
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1334,6 +1385,7 @@ If "timeout" is not set to "00:20:00 or less”, this is a finding.
False
keepSessionIdSecure
+ V-76855
False
Follow the procedures below for each site hosted on the IIS 8.5 web server:
@@ -1369,6 +1421,7 @@ Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155, SRG-APP-000439-
False
requireSSL
+ V-76859
False
From the "Section:" drop-down list, select "system.web/httpCookies".
@@ -1391,6 +1444,7 @@ Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155, SRG-APP-000439-
False
compressionEnabled
+ V-76859
False
From the "Section:" drop-down list, select "system.web/sessionState".
@@ -1406,6 +1460,7 @@ WebDAV is not widely used and has serious security concerns because it may allow
Absent
False
+ V-76803
Web-DAV-Publishing
False
diff --git a/source/StigData/Processed/Office-Outlook2016-2.1.xml b/source/StigData/Processed/Office-Outlook2016-2.1.xml
index 43b76a61e..6bcdcb90b 100644
--- a/source/StigData/Processed/Office-Outlook2016-2.1.xml
+++ b/source/StigData/Processed/Office-Outlook2016-2.1.xml
@@ -1,4 +1,4 @@
-
+
<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
@@ -8,6 +8,7 @@ This functionality can be controlled separately for instances of Internet Explor
Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
+ V-71109
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Disable user name and password" is set to "Enabled" and 'outlook.exe' is checked.
@@ -27,6 +28,7 @@ This functionality can be controlled separately for instances of Internet Explor
Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
+ V-71111
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Bind to Object" is set to "Enabled" and 'outlook.exe' is checked.
@@ -46,6 +48,7 @@ Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
+ V-71113
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Saved from URL" is set to "Enabled" and 'outlook.exe' is checked.
@@ -65,6 +68,7 @@ Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
+ V-71115
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Navigate URL" is set to "Enabled" and 'outlook.exe' is checked.
@@ -87,6 +91,7 @@ Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
+ V-71117
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" is set to "Enabled" and 'outlook.exe' is checked.
@@ -106,6 +111,7 @@ Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
+ V-71119
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Add-on Management" is set to "Enabled" and 'outlook.exe' is checked.
@@ -125,6 +131,7 @@ Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
+ V-71121
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Block popups" is set to "Enabled" and 'outlook.exe' is checked.
@@ -144,6 +151,7 @@ Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
+ V-71123
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Restrict File Download" is set to "Enabled" and 'outlook.exe' is checked.
@@ -163,6 +171,7 @@ Criteria: If the value of outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
+ V-71125
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" is set to "Enabled" and 'outlook.exe' is checked.
@@ -182,6 +191,7 @@ Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
+ V-71127
False
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" is set to "Enabled" and 'outlook.exe' is checked.
@@ -201,6 +211,7 @@ Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal
+ V-71129
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to Office.com" is set to "Enabled".
@@ -220,6 +231,7 @@ Criteria: If the value DisableOfficeOnline is REG_DWORD = 1, this is not a findi
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal
+ V-71131
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to a DAV server" is set to "Enabled".
@@ -240,6 +252,7 @@ Criteria: If the value DisableDav is REG_DWORD = 1, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal
+ V-71133
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Restrict level of calendar details users can publish" is set to "Enabled (Disables 'Full details' and 'Limited details')".
@@ -259,6 +272,7 @@ Criteria: If the value PublishCalendarDetailsPolicy is REG_DWORD = 4000 (hex) or
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal
+ V-71135
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Access to published calendars" is set to "Enabled".
@@ -278,6 +292,7 @@ Criteria: If the value RestrictedAccessOnly is REG_DWORD = 1, this is not a find
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71145
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Other -> Advanced "Do not allow Outlook object model scripts to run for shared folders" is set to "Enabled".
@@ -298,6 +313,7 @@ Criteria: If the value SharedFolderScript is REG_DWORD = 0, this is not a findin
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71147
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Other -> Advanced "Do not allow Outlook object model scripts to run for public folders" is set to "Enabled".
@@ -317,6 +333,7 @@ Criteria: If the value PublicFolderScript is REG_DWORD = 0, this is not a findin
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71149
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Allow Active X One Off Forms" is set to "Enabled: Load only Outlook Controls".
@@ -336,6 +353,7 @@ Criteria: If the value AllowActiveXOneOffForms is REG_DWORD = 0, this is not a f
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71151
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Configure Add-In Trust Level" is set to "Enabled (Trust all loaded and installed COM addins)".
@@ -355,6 +373,7 @@ Criteria: If the value AddinTrust is REG_DWORD = 1, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71153
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Disable 'Remember password' for Internet e-mail accounts" is set to "Enabled".
@@ -374,6 +393,7 @@ Criteria: If the value EnableRememberPwd is REG_DWORD = 0, this is not a finding
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook
+ V-71155
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Prevent users from customizing attachment security settings" is set to "Enabled".
@@ -393,6 +413,7 @@ Criteria: If the value DisallowAttachmentCustomization is REG_DWORD = 1, this is
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71157
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings "Outlook Security Mode" is set to "Enabled (Use Outlook Security Group Policy)".
@@ -412,6 +433,7 @@ Criteria: If the value AdminSecurityMode is REG_DWORD = 3, this is not a finding
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71159
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Display Level 1 attachments" is set to "Disabled".
@@ -431,6 +453,7 @@ Criteria: If the value ShowLevel1Attach is REG_DWORD = 0, this is not a finding.
Absent
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71161
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Remove file extensions blocked as Level 1" is set to "Disabled".
@@ -451,6 +474,7 @@ Criteria: If the registry key exists, this is a finding.
Absent
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71163
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Remove file extensions blocked as Level 2" is set to "Disabled".
@@ -471,6 +495,7 @@ Criteria: If the registry key exists, this is a finding.
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71165
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Custom Form Security "Allow scripts in one-off Outlook forms" is set to "Disabled".
@@ -490,6 +515,7 @@ Criteria: If the value EnableOneOffFormScripts is REG_DWORD = 0, this is not a f
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71167
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Custom Form Security "Set Outlook object model Custom Actions execution prompt" is set to "Enabled (Automatically Deny)".
@@ -509,6 +535,7 @@ Criteria: If the value PromptOOMCustomAction is REG_DWORD = 0, this is not a fin
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71169
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when sending mail" is set to "Enabled (Automatically Deny)".
@@ -529,6 +556,7 @@ Criteria: If the value PromptOOMSend is REG_DWORD = 0, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71171
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when accessing an address book" is set to "Enabled (Automatically Deny)".
@@ -549,6 +577,7 @@ Criteria: If the value PromptOOMAddressBookAccess is REG_DWORD = 0, this is not
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71173
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when reading address information" is set to "Enabled (Automatically Deny)".
@@ -569,6 +598,7 @@ Criteria: If the value PromptOOMAddressInformationAccess is REG_DWORD = 0, this
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71175
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when responding to meeting and task requests" is set to "Enabled (Automatically Deny)".
@@ -589,6 +619,7 @@ Criteria: If the value PromptOOMMeetingTaskRequestResponse is REG_DWORD = 0, thi
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71177
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when executing Save As" is set to "Enabled (Automatically Deny)".
@@ -610,6 +641,7 @@ Criteria: If the value PromptOOMSaveAs is REG_DWORD = 0, this is not a finding.
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71179
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt When accessing the Formula property of a UserProperty object" is set to "Enabled (Automatically Deny)".
@@ -629,6 +661,7 @@ Criteria: If the value PromptOOMFormulaAccess is REG_DWORD = 0, this is not a fi
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\security
+ V-71193
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security -> Trusted Add-ins "Configure trusted add-ins" is set to "Disabled".
@@ -653,6 +686,7 @@ In some reported configurations, the value remains after disabling the setting b
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71195
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "S/MIME interoperability with external clients" is set to "Enabled (Handle internally)".
@@ -672,6 +706,7 @@ Criteria: If the value ExternalSMime is REG_DWORD = 0, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71227
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Message Formats" is set to "Enabled (S\MIME)".
@@ -695,6 +730,7 @@ FIPS mode in Windows enforces 3DES, AES 256/192/128, SHA1, and SHA 512/384/256.
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71229
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Run in FIPS compliant mode" is set to "Enabled".
@@ -714,6 +750,7 @@ Criteria: If the value FIPSMode is REG_DWORD = 1, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71231
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Send all signed messages as clear signed messages" is set to "Enabled".
@@ -733,6 +770,7 @@ Criteria: If the value ClearSign is REG_DWORD = 1, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71233
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "S/MIME receipt requests behavior" is set to "Enabled (Never send S\MIME receipts)".
@@ -753,6 +791,7 @@ Criteria: If the value RespondToReceiptRequests is REG_DWORD = 2, this is not a
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71235
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography -> Signature Status dialog box "Retrieving CRLs (Certificate Revocation Lists)" is set to "Enabled (When online always retrieve the CRL)".
@@ -772,6 +811,7 @@ Criteria: If the value UseCRLChasing is REG_DWORD = 1, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail
+ V-71237
False
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Automatic Picture Download Settings "Display pictures and external content in HTML e-mail" is set to "Enabled".
@@ -792,6 +832,7 @@ Criteria: If the value BlockExtContent is REG_DWORD = 1, this is not a finding.<
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail
+ V-71239
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" is set to "Disabled".
@@ -811,6 +852,7 @@ Criteria: If the value UnblockSpecificSenders is REG_DWORD = 0, this is not a fi
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail
+ V-71241
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Do not permit download of content from safe zones" is set to "Disabled".
@@ -830,6 +872,7 @@ Criteria: If the value UnblockSafeZone is REG_DWORD = 1, this is not a finding.<
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail
+ V-71243
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Block Trusted Zones" is set to "Enabled".
@@ -849,6 +892,7 @@ Criteria: If the value TrustedZone is REG_DWORD = 0, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail
+ V-71245
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Include Internet in Safe Zones for Automatic Picture Download" is set to "Disabled".
@@ -868,6 +912,7 @@ Criteria: If the value Internet is REG_DWORD = 0, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail
+ V-71247
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Include Intranet in Safe Zones for Automatic Picture Download" is set to "Disabled".
@@ -887,6 +932,7 @@ Criteria: If the value Intranet is REG_DWORD = 0, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71249
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Trust Center "Security setting for macros" is set to "Enabled (Warn for signed, disable unsigned)".
@@ -906,6 +952,7 @@ Criteria: If the value Level is REG_DWORD = 3, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail
+ V-71251
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Trust Center "Allow hyperlinks in suspected phishing e-mail messages" is set to "Disabled".
@@ -925,6 +972,7 @@ Criteria: If the value JunkMailEnableLinks is REG_DWORD = 0, this is not a findi
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\rpc
+ V-71253
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange "Enable RPC encryption" is set to "Enabled".
@@ -944,6 +992,7 @@ Criteria: If the value EnableRPCEncryption is REG_DWORD = 1, this is not a findi
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71255
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange "Authentication with Exchange Server" is set to "Enabled (Kerberos Password Authentication)".
@@ -963,6 +1012,7 @@ Criteria: If the value AuthenticationService is REG_DWORD = 16 (decimal) or 10 (
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\rss
+ V-71259
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> RSS Feeds "Download full text of articles as HTML attachments" is set to "Disabled".
@@ -982,6 +1032,7 @@ Criteria: If the value EnableFullTextHTML is REG_DWORD = 0, this is not a findin
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\webcal
+ V-71261
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Internet Calendars "Automatically download attachments" is set to "Disabled".
@@ -1001,6 +1052,7 @@ Criteria: If the value EnableAttachments is REG_DWORD = 0, this is not a finding
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\webcal
+ V-71263
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Internet Calendars "Do not include Internet Calendar integration in Outlook" is set to "Enabled".
@@ -1020,6 +1072,7 @@ Criteria: If the value Disable is REG_DWORD = 1, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\meetings\profile
+ V-71265
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Meeting Workspace "Disable user entries to server list" is set to "Enabled (Publish default, disallow others)".
@@ -1039,6 +1092,7 @@ Criteria: If the value ServerUI is REG_DWORD = 2, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\rss
+ V-71267
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> RSS Feeds "Automatically download enclosures" is set to "Disabled".
@@ -1058,6 +1112,7 @@ Criteria: If the value EnableAttachments is REG_DWORD = 0, this is not a finding
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71271
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Prompt user to choose security settings if default settings fail" is set to "Disabled".
@@ -1077,6 +1132,7 @@ Criteria: If the value ForceDefaultProfile is REG_DWORD = 0, this is not a findi
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71273
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Minimum encryption settings" is set to "Enabled: 168 bits".
@@ -1096,6 +1152,7 @@ Criteria: If the value MinEncKey is REG_DWORD = a8 (hex) or 168 (decimal), this
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71275
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Replies or forwards to signed/encrypted messages are signed/encrypted" is set to "Enabled".
@@ -1117,6 +1174,7 @@ Criteria: If the value NoCheckOnSessionSecurity is REG_DWORD = 1, this is not a
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security
+ V-71277
False
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Do not check e-mail address against address of certificates being used" is set to "Enabled".
diff --git a/source/StigData/Processed/Office-System2013-2.1.xml b/source/StigData/Processed/Office-System2013-2.1.xml
index 48d57be2d..7e320dd2a 100644
--- a/source/StigData/Processed/Office-System2013-2.1.xml
+++ b/source/StigData/Processed/Office-System2013-2.1.xml
@@ -1,4 +1,4 @@
-
+
<VulnDiscussion>Users of Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications. Administrators configure published links to Office applications during initial deployment, and can add or change links as part of regular operations. These links appear on the My SharePoint Sites tab of the Open, Save, and Save As dialog boxes when opening and saving documents from these applications. Links can be targeted so that they only appear to users who are members of particular audiences.
@@ -7,6 +7,7 @@ If a malicious person gains access to the list of published links, they could mo
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\common\portal
+ V-17670
False
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Server Settings "Disable the Office client from polling the SharePoint Server for published links" is set to "Enabled".
@@ -25,6 +26,7 @@ By default, this feature is enabled, if users choose to participate in the Custo
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\common\ptwatson
+ V-17627
False
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Tools >> Options >> Spelling >> Proofing Data Collection "Improve Proofing Tools" is set to "Disabled".
@@ -43,6 +45,7 @@ By default, users can specify any location as a trusted location, and a computer
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\common\security\trusted locations
+ V-17560
False
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings >> Trust Center "Allow mix of policy and user locations" is set to "Disabled".
@@ -62,6 +65,7 @@ XML expansion packs can be used to initialize and load malicious code, which mig
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Smart Tag
+ V-17669
False
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" is set to "Enabled".
@@ -79,6 +83,7 @@ If the value 'NeverLoadManifests' is REG_DWORD = 1, this is not a finding.Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\common\signatures
+ V-17749
False
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Signing "Legacy format signatures" is set to "Enabled".
@@ -98,6 +103,7 @@ Fix Text: Set the policy value for User Configuration >> Administrative Te
Present
False
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\common\signatures
+ V-17805
False
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Signing "Suppress external signature services menu item" is set to "Enabled".
@@ -115,6 +121,7 @@ Criteria: If the value 'SuppressExtSigningSvcs' is REG_DWORD = 1, this is not a