U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

Microsoft IIS 8.5 STIG Y23M10 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
IIS 8.5 cpe:/a:microsoft:internet_information_server:8.5 (View CVEs)

Checklist Highlights

Checklist Name:
Microsoft IIS 8.5 STIG
Checklist ID:
774
Version:
Y23M10
Type:
Compliance
Review Status:
Archived
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
09/12/2017

Checklist Summary:

This Internet Information Services (IIS) 8.5 Overview is a published document to provide an overview of the IIS 8.5 Server and Site Security Technical Implementation Guides (STIGs) and should be used to improve the security posture of a Department of Defense (DoD) web server and its associated websites. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Application Security and Development, Windows 2012 R2 Server/Windows 8.1, and other appropriate operating system STIGs. Guidance for deployment of web servers within the DoD intranet and the Demilitarized Zone (DMZ) will be governed by the appropriate Network Infrastructure STIG provided by the Defense Information Systems Agency (DISA). This STIG has been developed based on the Web Server SRG guidance, which was published as guidance to comply with applicable NIST SP 800-53 cybersecurity controls. This document is a requirement for all DoD-owned information systems and DoD-controlled information systems operated by a contractor and/or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification and/or sensitivity. These requirements are designed to assist Security Managers (SMs), Information System Security Managers (ISSMs), Information System Security Officers (ISSOs), and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD information system design, development, implementation, certification, and accreditation efforts but is restricted to policies and configurations specific to web servers and sites. This guidance is scoped to the Web Server role of Microsoft’s Windows Server 2012 R2/Windows 8.1, using IIS 8.5. While no other server role or OS will be addressed, Windows Server 2012 does include .NET Framework 4.5 by default, and this STIG requires .NET Framework 4.5 use for enabling specific security settings, such as session state. There are multiple STIG packages for IIS 8.5: one for IIS 8.5 server-related requirements and one for IIS 8.5 website-related requirements. Both STIGs must be applied to an IIS 8.5 web server. The individual packages are: • IIS 8.5 Server STIG • IIS 8.5 Site STIG • IIS 8.5 Overview

Checklist Role:

  • Web Server

Known Issues:

Not provided.

Target Audience:

Developed by DISA for the DoD. This document is intended for those responsible for the configuration and management of information systems. It assumes that the reader has knowledge of web servers and is familiar with common computer terminology.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Directive 8500.2, DoD Directive 8520.2

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Only available to DoD customers.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History: 

DRAFT- New Checklist - 07/07/2017
Updated URL to reflect change to the DISA website - http --> https
Update - Draft to Under Review - 10/23/2017
Update to FINAL - 11/20/2017
updated to v1,r2 - 02/16/2018
Updated to FINAL - 3/18/2018
updated to v1,r3 - 4/25/18
Updated to FINAL - 5/27/18
updated to Ver 1, Rel 4 - 7/24/18
Updated to FINAL - 8/24/18
updated to Ver 1, Rel 5 - 10/25/18
Corrected SHA - 10/26/18
Updated to FINAL - 11/26/18
updated to Ver 1, Rel 6- 1/22/19
corrected SHA - 2/12/2019
Status Updated to FINAL - 3/12/19
updated to Ver 1, Rel 7 - 4/30/19
Updated URLs - 6/7/19
Updated URLs - 6/26/19
Updated URLs - 8/12/2019
Updated SHA - 8/16/19
updated URLs - 11/1/19
Updated URLs per DISA - 4/24/2020
updated per DISA - 8/4/2020
Updated URL per DISA - 10/28/20
updated URLS per DISA - 4/28/2021
Updated resource per DISA - 7/29/21
updated URLs - 10/27/2021
updated URLs - 1/26/2022
null
updated URLs per DISA - 1/17/2023
Updated resource per DISA - 4/27/23
Updated resource and sunset per DISA - 10/26/23
Updated title - 10/26/23

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 10/26/2023