TickYouOff
Sign in
Back
🔒

IIS 10.0 Server STIG Checklist

Medium 23 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist guides administrators and security teams through applying the Microsoft IIS 10.0 Server STIG to harden IIS web servers. It’s aimed at system owners, DevOps, and security engineers who need a practical, ordered set of tasks to achieve STIG compliance and maintain secure IIS deployments.

Source: https://ncp.nist.gov/checklist/952

Progress
0 / 23
  1. Gather STIG packages and resources — Download official DISA STIGs, XCCDF files, SCC automated content and checksums.
  2. Download Microsoft IIS 10.0 Server STIG — Obtain latest Server STIG package from DISA and verify checksum.
  3. Download Microsoft IIS 10.0 Site STIG — Obtain Site STIG package (site-level requirements) and verify checksum.
  4. Download XCCDF and SCC automated content — Get automated benchmarking content for scanning and remediation tools.
  5. Review STIG requirements and scope — Read STIG guidance to understand which controls apply to your environment.
  6. Backup IIS configuration and website content — Export applicationHost.config, site content, and SSL certificates before changes.
  7. Apply operating system updates and security patches — Patch Windows Server and dependent components before STIG changes.
  8. Ensure .NET Framework 4.5+ is installed and updated — Confirm required .NET version for session state and related settings.
  9. Apply IIS Server STIG settings — Implement server-level STIG controls (global IIS configuration).
  10. Disable directory browsing and default documents — Prevent unintended content disclosure by disabling directory listing.
  11. Remove or secure sample websites and demo files — Delete or restrict access to default/sample content included with IIS.
  12. Enforce authentication and authorization for admin areas — Require strong authentication and restrict access to management paths.
  13. Harden TLS and cipher suites — Configure secure protocols, ciphers, and TLS settings at OS/IIS level.
  14. Disable SSLv2 and SSLv3 — Turn off legacy protocols to prevent protocol-level attacks.
  15. Disable weak ciphers (RC4, 3DES) and enable TLS1.2/1.3 — Prioritize modern, secure ciphers and protocol versions.
  16. Enable strong TLS settings and forward secrecy — Set secure cipher order and prefer forward-secret suites.
  17. Enable logging and monitor audit settings — Configure IIS, Windows Event, and request logging for audits.
  18. Restrict management access and use least-privilege accounts — Limit admin accounts and use role-based access control.
  19. Configure firewall and network controls for IIS server — Restrict unnecessary inbound ports and separate DMZ/internal rules.
  20. Run automated compliance scan (SCC/XCCDF) and review findings — Execute automated benchmarks to compare configuration against STIG rules.
  21. Remediate findings and re-run scans — Fix identified issues, document changes, and verify with another scan.
  22. Document changes, maintenance windows, and rollback plans — Record implemented controls, planned windows, and rollback steps.
  23. Schedule regular review and update of STIGs and resources — Plan periodic reviews to apply updated STIG versions and checksums.
Sign in to save
📝 My Notes