STIG V-218793 | The IIS 10.0 web server must only con...

Microsoft IIS 10.0 Site Security

The IIS 10.0 web server must only contain functions necessary for operation

STIG ID: IIST-SV-000118 | SRG: SRG-APP-000141-WSR-000075 | Severity: Medium | CCI: CCI-000381 | Vulnerability ID: V-218793

Description

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.The web server must provide the capability to disable, uninstall, or deactivate functionality and services deemed non-essential to the web server mission or that adversely impact server performance.

Check

C-218793r960963_chk

Click “Start”.Open Control Panel.Click “Programs”.Click “Programs and Features”.Review the installed programs. If any programs are installed other than those required for the IIS 10.0 web services, this is a finding.Note: If additional software is needed, supporting documentation must be signed by the ISSO.

Fix

F-20263r310855_fix

Remove all unapproved programs and roles from the production IIS 10.0 web server.