Microsoft IIS 8.5 STIG Ver 1, Rel 10 Checklist Details (Checklist Revisions)

Supporting Resources:


Target CPE Name
IIS 8.5 cpe:/a:microsoft:internet_information_server:8.5 (View CVEs)

Checklist Highlights

Checklist Name:
Microsoft IIS 8.5 STIG
Checklist ID:
Ver 1, Rel 10
Review Status:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:

Checklist Summary:

This Internet Information Services (IIS) 8.5 Overview is a published document to provide an overview of the IIS 8.5 Server and Site Security Technical Implementation Guides (STIGs) and should be used to improve the security posture of a Department of Defense (DoD) web server and its associated websites. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Application Security and Development, Windows 2012 R2 Server/Windows 8.1, and other appropriate operating system STIGs. Guidance for deployment of web servers within the DoD intranet and the Demilitarized Zone (DMZ) will be governed by the appropriate Network Infrastructure STIG provided by the Defense Information Systems Agency (DISA). This STIG has been developed based on the Web Server SRG guidance, which was published as guidance to comply with applicable NIST SP 800-53 cybersecurity controls. This document is a requirement for all DoD-owned information systems and DoD-controlled information systems operated by a contractor and/or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification and/or sensitivity. These requirements are designed to assist Security Managers (SMs), Information System Security Managers (ISSMs), Information System Security Officers (ISSOs), and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD information system design, development, implementation, certification, and accreditation efforts but is restricted to policies and configurations specific to web servers and sites. This guidance is scoped to the Web Server role of Microsoft’s Windows Server 2012 R2/Windows 8.1, using IIS 8.5. While no other server role or OS will be addressed, Windows Server 2012 does include .NET Framework 4.5 by default, and this STIG requires .NET Framework 4.5 use for enabling specific security settings, such as session state. There are multiple STIG packages for IIS 8.5: one for IIS 8.5 server-related requirements and one for IIS 8.5 website-related requirements. Both STIGs must be applied to an IIS 8.5 web server. The individual packages are: • IIS 8.5 Server STIG • IIS 8.5 Site STIG • IIS 8.5 Overview

Checklist Role:

  • Web Server

Known Issues:

Not provided.

Target Audience:

Developed by DISA for the DoD. This document is intended for those responsible for the configuration and management of information systems. It assumes that the reader has knowledge of web servers and is familiar with common computer terminology.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Directive 8500.2, DoD Directive 8520.2


Not provided.


Not provided.

Product Support:

Only available to DoD customers.

Point of Contact:


Not provided.


Not provided.

Change History:

DRAFT- New Checklist - 07/07/2017
Updated URL to reflect change to the DISA website - http --> https
Update - Draft to Under Review - 10/23/2017
Update to FINAL - 11/20/2017
updated to v1,r2 - 02/16/2018
Updated to FINAL - 3/18/2018
updated to v1,r3 - 4/25/18
Updated to FINAL - 5/27/18
updated to Ver 1, Rel 4 - 7/24/18
Updated to FINAL - 8/24/18
updated to Ver 1, Rel 5 - 10/25/18
Corrected SHA - 10/26/18
Updated to FINAL - 11/26/18
updated to Ver 1, Rel 6- 1/22/19
corrected SHA - 2/12/2019
Status Updated to FINAL - 3/12/19
updated to Ver 1, Rel 7 - 4/30/19
Updated URLs - 6/7/19
Updated URLs - 6/26/19
Updated URLs - 8/12/2019
Updated SHA - 8/16/19
updated URLs - 11/1/19
Updated URLs per DISA - 4/24/2020
updated per DISA - 8/4/2020


URL Description


Reference URL Description

NIST checklist record last modified on 08/04/2020