TickYouOff
Sign in
Back
🔒

IIS 10.0 Server STIG (Y26M01) Checklist

Medium 20 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist captures core actions from the Microsoft IIS 10.0 Server STIG (Y26M01) to help administrators and security teams assess and harden IIS web servers. Use it to guide STIG application, configuration, logging, and ongoing compliance checks for IIS 10.0 deployments.

Source: https://ncp.nist.gov/checklist/952

Progress
0 / 20
  1. Review the IIS 10.0 Server STIG documentation and supporting resources — Download STIG packages, XCCDF, and DISA reference docs before starting.
  2. Inventory all IIS 10.0 servers, roles, and hosted sites — List hostnames, OS versions, site names, app pools, and network zones.
  3. Backup IIS configuration and website content — Export applicationHost.config, web.configs, and site files before changes.
  4. Download and install the IIS 10.0 Server STIG package — Obtain the Server STIG XCCDF/SCC content from DISA.
  5. Download and install the IIS 10.0 Site STIG package — Obtain the Site STIG XCCDF/SCC content and site-level rules.
  6. Apply STIG automated content (SCC/XCCDF) to assess baseline compliance — Run automated scans to generate findings before manual hardening.
  7. Apply the latest Windows Server and IIS security patches — Update OS and IIS binaries to the current security baseline.
  8. Install and validate server TLS/SSL certificates — Ensure certs are trusted, not expiring, and match hostnames.
  9. Enforce TLS 1.2 or higher and disable older SSL/TLS protocols — Disable SSLv2/3 and TLS 1.0/1.1 to meet STIG cryptography guidance.
  10. Require HTTPS and configure HTTP-to-HTTPS redirects — Force secure transport for all site traffic and HSTS when appropriate.
  11. Configure application pools to run with least privilege — Use dedicated service accounts and disable unused identities.
  12. Disable unnecessary IIS modules and features — Remove or disable modules not required by applications to reduce attack surface.
  13. Remove default documents and disable directory browsing — Prevent exposure of directory listings and default pages that leak info.
  14. Restrict file and folder permissions for IIS content — Apply least-privilege NTFS permissions to site files and config files.
  15. Disable unnecessary HTTP verbs and enable request filtering — Block TRACE, TRACK, PUT, DELETE if not required and set size limits.
  16. Enable detailed IIS logging and centralize logs for analysis — Capture client IPs, request details; forward logs to SIEM or central store.
  17. Enable OS-level auditing and configure security event monitoring — Audit IIS service changes, configuration edits, and privileged logins.
  18. Run vulnerability scans, validate STIG findings, and remediate — Use automated tools and manual review to confirm compliance and fix issues.
  19. Implement firewall rules and DMZ segmentation per network guidance — Restrict management ports and limit traffic between zones.
  20. Document changes, maintain STIG records, and schedule regular reviews — Record applied controls, exceptions, and plan periodic re-assessments.
Sign in to save
📝 My Notes