U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Microsoft IIS 7.0 STIG Version 1, Release 19 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Microsoft Internet Information Services 7.0 cpe:/a:microsoft:iis:7.0 (View CVEs)

Checklist Highlights

Checklist Name:
Microsoft IIS 7.0 STIG
Checklist ID:
400
Version:
Version 1, Release 19
Type:
Compliance
Review Status:
Archived
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
04/28/2017

Checklist Summary:

The Internet Information Services 7.0 Web Server Overview is a published document that can be used to improve the security posture of a Department of Defense (DoD) web server and its associated web sites. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Application Security and Development, and other appropriate operating system Security Technical Implementation Guides. Guidance for deployment of web servers within the DoD intranet and the Demilitarized Zone will be governed by the appropriate Network Infrastructure STIG provided by the Defense Information Systems Agency. The web server must be configured to protect classified, unclassified, and/or restricted data such as Personally Identifiable Information, as well as data approved for public release. Immediate risks inherent to this role are external attacks and accidental exposure. Although security controls and infrastructure devices (such as firewalls, intrusion detection systems, and baseline integrity checking tools) offer some defense against malicious activity, security for web servers is best achieved through implementing a comprehensive defense-in-depth strategy. This strategy should include, but is not limited to, server configuration to prevent system compromise, operational procedures for posting data to avoid accidental exposure, proper placement of the server within the network infrastructure, and the allowance or denial of Ports, Protocols, and Services used to access the web server.

Checklist Role:

  • Web Server

Known Issues:

Not applicable.

Target Audience:

Developed by DISA for the DOD. This document is intended for those responsible for the configuration and management of information systems. It assumes that the reader has knowledge of web servers and is familiar with common computer terminology.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

This guidance is scoped to the Web Server role, utilizing IIS 7.0, of Microsoft�s Windows Server 2008 and no other server role or OS will be addressed.

Regulatory Compliance:

DOD Directive 8500.2, DOD Directive 8520.2

Comments/Warnings/Miscellaneous:

Please refer to the Checklist.

Disclaimer:

Not provided.

Product Support:

Only available to DOD customers.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Changed status from "under review" to "final" - 08 September 2015
Version 1, Release 8 - 31 July 2015
Version 1, Release 5 - 24 April 2014
Version 1, Release 4 - 24 January 2014
Version 1, Release 3 - 26 April 2013
Version 1, Release 2 - 25 January 2013
Version 1, Release 1 - 31 October 2011
Version 1 Release 6 - 30 October 2014
Updated status to "Final" - 07 January 2015
Updated "Point of Contact" - 15 January 2015
Version 1, Release 7 - 23 January 2015
Version 1, Release 9 - 27 October 2015
Changed status from "Under Review" to "Final" - 03 December 2015
5/2/2016 - Version 1, Release 10
moved to FINAL - 6/7/2016
Updated STIG to V1, R11 - 10-28-2016
updated to FINAL - 12/07/2016
Updated to Version 1, Release 12 - 01/27/2017
Updated to FINAL - 03/08/2017
Updated to v1, r13 - 04/24/2017
updated to FINAL - 05/22/2017
null
Updated URL to reflect change to the DISA website - http --> https
Updated - 11/01/2017
Updated to FINAL - 11/27/2017
corrected resource title - 1/24/2018
updated to v1,r16 - 02/16/2018
Updated to FINAL - 3/18/2018
Updated to Version 1, Release 17- 10/25/18
Updated to FINAL - 11/26/18
updated to Version 1, Release 18 - 4/30/2019
Corrected SHA - 5/2/19
Updated to FINAL  - 6/4/19
Updated URLs - 6/25/19
removed reference link and changed status to archive per DISA changes - 1/17/2020

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 01/17/2020