TickYouOff
Sign in
Back
🔒

Microsoft IIS 10.0 Server STIG Checklist

Hard 21 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps IT staff and system owners assess and harden Microsoft IIS 10.0 servers against DISA STIG guidance. It’s aimed at administrators and security engineers performing STIG scans, remediation, and ongoing compliance for web servers.

Source: https://ncp.nist.gov/checklist/952

Progress
0 / 21
  1. Download the IIS 10.0 Server STIG and supporting resources — Obtain DISA XCCDF, SCC content, and STIG PDF for reference and automated scans.
  2. Inventory IIS servers and installed versions — Record hostnames, OS versions, IIS build, and site roles.
  3. Verify .NET Framework 4.5 or later is installed where required — Needed for specific security settings like session state.
  4. Apply both IIS 10.0 Server and IIS 10.0 Site STIG packages — Ensure server- and site-level STIGs are both enforced.
  5. Run automated SCAP/XCCDF or SCC scans with DISA content — Use provided automated content to generate findings.
  6. Review scan findings and create a remediation plan — Prioritize fixes by severity and mission impact.
  7. Harden IIS by disabling unnecessary modules and features — Reduce attack surface by removing unused components.
  8. Disable WebDAV module — Prevent remote write access unless explicitly needed.
  9. Disable TRACE and TRACK HTTP methods — Block methods that can expose sensitive headers.
  10. Remove default sample files and sample applications — Delete example content to avoid information exposure.
  11. Enforce TLS 1.2 or higher and disable weak ciphers — Configure Schannel/registry or IIS bindings to use strong ciphers.
  12. Configure authentication and authorization settings — Choose the least-privilege auth methods required by the app.
  13. Set secure cookie and session state settings in .NET/IIS — Enable HttpOnly, Secure flags and appropriate timeout values.
  14. Apply least privilege to IIS service and application pool accounts — Use dedicated low-privilege accounts for app pools.
  15. Enable detailed IIS logging and forward logs to a SIEM — Capture access, error logs and centralize for monitoring.
  16. Implement strict file and directory permissions for web content — Grant only required read/write rights to content folders.
  17. Disable directory browsing on sites — Prevent listing of directory contents to visitors.
  18. Validate web applications for OWASP Top 10 vulnerabilities — Use scanners or manual testing to find common flaws.
  19. Patch and update Windows Server and IIS components regularly — Apply security updates and test before production rollout.
  20. Schedule regular STIG scans and compliance audits — Set recurring scans and track remediation status.
  21. Document IIS configuration and maintain change control records — Record STIG versions, change tickets, and baselines.
Sign in to save
📝 My Notes