could do a list of the blocked ones

Rule Title: The IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.

Discussion: During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack.

The web server must provide a capability to disconnect users to a hosted application without compromising other hosted applications unless deemed necessary to stop the attack. Methods to disconnect or disable connections are to stop the application service for a specified hosted application, stop the web server, or block all connections through web server access list.

The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.

Check Text: Interview the System Administrator and Web Manager.

Ask for documentation for the IIS 8.5 web server administration.

Verify there are documented procedures for shutting down an IIS 8.5 website in the event of an attack. The procedure should, at a minimum, provide the following steps:

Determine the respective website for the application at risk of an attack.

Access the IIS 8.5 web server IIS 8.5 Manager.

Select the respective website.

In the "Actions" pane, under "Manage Website", click on "Stop".

If necessary, stop all websites.

If necessary, stop the IIS 8.5 web server by selecting the web server in the IIS 8.5 Manager.

In the "Actions" pane, under "Manage Server", click on "Stop".

If there are not documented procedures with, at a minimum, the mentioned steps for stopping a website, this is a finding.

Fix Text: Prepare documented procedures for shutting down an IIS 8.5 website in the event of an attack. The procedure should, at a minimum, provide the following steps:

Determine the respective website for the application at risk of an attack.

Access the IIS 8.5 web server IIS 8.5 Manager.

Select the respective website.

In the "Actions" pane, under "Manage Website", click on "Stop".

If necessary, stop all websites.

If necessary, stop the IIS 8.5 web server by selecting the web server in the IIS 8.5 Manager.

In the "Actions" pane, under "Manage Server", click on "Stop".

References
CCI: CCI-002322: The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.
NIST SP 800-53 Revision 4 :: AC-17 (9)

Rule Title: Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders.

Discussion: CGI and ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI and ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the SA control over what goes into those folders and to facilitate access control at the folder level.

Check Text: Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, and .asp.

All interactive programs must be placed in unique designated folders based on CGI or ASP script type.

Open the IIS 8.5 Manager.

Right-click the IIS 8.5 web site name and select Explore.

Search for the listed script extensions. Each script type must be in its unique designated folder.

If scripts are not segregated from web content and in their own unique folders, then this is a finding.

Fix Text: All interactive programs must be placed in unique designated folders based on CGI or ASP script type.

Open the IIS 8.5 Manager.

Right-click the IIS 8.5 web server name and select Explore.

Search for the listed script extensions.

Move each script type to its unique designated folder.

Set the permissions to the scripts folders as follows:

Administrators: FULL
TrustedInstaller: FULL
SYSTEM: FULL
ApplicationPoolId:READ
Custom Service Account: READ
Users: READ
ALL APPLICATION PACKAGES: READ

Rule Title: The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files.

Discussion: The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file the risk for unauthorized access to these protected files is increased. Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.

Check Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Click the "Advanced Settings" from the "Actions" pane.

Review the Physical Path.

If the Path is on the same partition as the OS, this is a finding.

Fix Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Click the “Advanced Settings” from the "Actions" pane.

Change the Physical Path to the new partition and directory location.

References
CCI: CCI-001084: The information system isolates security functions from nonsecurity functions.
NIST SP 800-53 :: SC-3
NIST SP 800-53A :: SC-3.1 (ii)
NIST SP 800-53 Revision 4 :: SC-3

Rule Title: The IIS 8.5 website must have a unique application pool.

Discussion: Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.

Check Text: Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable.

Open the IIS 8.5 Manager.

Click "Application Pools".

In the list of Application Pools, review the "Applications" column and verify unique application pools for each website.

If any Application Pools are being used for more than one website, this is a finding.

Fix Text: Open the IIS 8.5 Manager.

Click the site name under review.

Assign a unique application pool to each website.

References
CCI: CCI-000366: The organization implements the security configuration settings.
NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

Rule Title: Backup interactive scripts on the IIS 8.5 server must be removed.

Discussion: Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today to search web servers for such files and are able to exploit the information contained in them.

Check Text: Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx.

If the website does not utilize CGI, this finding is Not Applicable.

Open the IIS 8.5 Manager.

Right-click the IIS 8.5 web site name and select “Explore”.

Search for the listed script extensions

Search for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or “copy of...”.

If files with these extensions are found, this is a finding.

Fix Text: Remove the backup files from the production web server.

References
CCI: CCI-000381: The organization configures the information system to provide only essential capabilities.
NIST SP 800-53 :: CM-7
NIST SP 800-53A :: CM-7.1 (ii)
NIST SP 800-53 Revision 4 :: CM-7 a

• session security needs $compliant=
• fix docuemntation that says remove or sets
• fix stgprintservice to actually remove maybe base off of StgWebDav
• Set-StgClientCertificate has a weird set command, may not exist
• fix maxonnection to actually add
• add shouldprocess

Find-StgCommand 76681 | OGV should show set and get

Rule Title: Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 web server, patches, loaded modules, and directory paths.

Discussion: HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.

Check Text: Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Double-click the "Error Pages" icon.

Click on any error message and click "Edit Feature Setting" from the "Actions" Pane. This will apply to all error messages.

If the feature setting is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.

Fix Text: Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Double-click the "Error Pages" icon.

Click on any error message and click "Edit Feature Setting" from the "Actions" Pane. This will apply to all error messages.

Set Feature Setting to “Detailed errors for local requests and custom error pages for remote requests”.

References
CCI: CCI-001312: The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
NIST SP 800-53 :: SI-11 b
NIST SP 800-53A :: SI-11.1 (iii)
NIST SP 800-53 Revision 4 :: SI-11 a

Rule Title: IIS 8.5 web server system files must conform to minimum file permission requirements.

Discussion: This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account running the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

Check Text: Open Explorer and navigate to the inetpub directory.

Right-click inetpub and select “Properties”.

Click the "Security" tab.

Verify the permissions for the following users; if the permissions are less restrictive, this is a finding.

System: Full control
Administrators: Full control
TrustedInstaller: Full control
ALL APPLICATION PACKAGES (built-in security group): Read and execute
Users: Read and execute, list folder contents
Creator/Owner: Special permissions to subkeys

Fix Text: Open Explorer and navigate to the inetpub directory.

Right-click inetpub and select “Properties”.

Click the "Security" tab.

Set the following permissions:

SYSTEM: Full control
Administrators: Full control
TrustedInstaller: Full control
ALL APPLICATION PACKAGES (built-in security group): Read and execute
Users: Read and execute, list folder contents
Creator/Owner: special permissions to subkeys

References
CCI: CCI-002235: The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
NIST SP 800-53 Revision 4 :: AC-6 (10)

Rule Title: The IIS 8.5 private website have a server certificate issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

Discussion: The use of a DoD PKI certificate ensures clients the private website they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.

Check Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Click “Bindings” in the “Action” Pane.

Click the “HTTPS type” from the box.

Click “Edit”.

Click “View” and then review and verify the certificate path.

If the list of CAs in the trust hierarchy does not lead to the DoD PKI Root CA, DoD-approved external certificate authority (ECA), or DoD-approved external partner, this is a finding.

If HTTPS is not an available type under site bindings, this is a finding.

If HTTPS is not an available type under site bindings, and the Web Server ONLY communicates directly with a load balancer/proxy server, with IP address and Domain Restrictions in place, this is not a finding.

Fix Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the Server name.

Double-click “Server Certificates”.

Click “Import” under the "Actions" pane.

Browse to the DoD certificate location, select it, and click “OK”.

Remove any non-DoD certificates if present.

Click on the site needing the certificate.

Select “Bindings” under the "Actions" pane.

Click on the binding needing a certificate and select “Edit”, or add a site binding for HTTPS.

Assign the certificate to the website by choosing it under the “SSL Certificate” drop-down and clicking “OK”.

References
CCI: CCI-002470: The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.
NIST SP 800-53 Revision 4 :: SC-23 (5)

Rule Title: The IIS 8.5 web server must not perform user management for hosted applications.

Discussion: User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logons, and management of temporary and emergency accounts; and all of this must be done enterprise-wide.

The web server contains a minimal user management function, but the web server user management function does not offer enterprise-wide user management, and user management is not the primary function of the web server. User management for the hosted applications should be done through a facility that is built for enterprise-wide user management, like LDAP and Active Directory.

Check Text: Interview the System Administrator about the role of the IIS 8.5 web server.

If the IIS 8.5 web server is hosting an application, have the SA provide supporting documentation on how the application's user management is accomplished outside of the IIS 8.5 web server.

If the IIS 8.5 web server is not hosting an application, this is Not Applicable.

If the IIS web server is performing user management for hosted applications, this is a finding.

If the IIS 8.5 web server is hosting an application and the SA cannot provide supporting documentation on how the application's user management is accomplished outside of the IIS 8.5 web server, this is a finding.

Fix Text: Reconfigure any hosted applications on the IIS 8.5 web server to perform user management outside the IIS 8.5 web server.

Document how the hosted application user management is accomplished.

References
CCI: CCI-000381: The organization configures the information system to provide only essential capabilities.
NIST SP 800-53 :: CM-7
NIST SP 800-53A :: CM-7.1 (ii)
NIST SP 800-53 Revision 4 :: CM-7 a

Rule Title: Each IIS 8.5 website must be assigned a default host header.

Discussion: The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address.

Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

Check Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Right-click on the site name under review.
Select “Edit Bindings”.

Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

If both hostname entries and unique IP addresses are not configure to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding.

Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.

Note: If HTTP/Port 80 is not being used, and isn’t configured as above, this is not a finding.

Fix Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Right-click on the site name under review.

Select “Edit Bindings”.

Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used.

Click "OK".

Select "Apply" from the "Actions" pane.

Rule Title: Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths.

Discussion: HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.

Check Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Double-click the "Error Pages" icon.

Click each error message and click "Edit Feature" setting from the "Actions" pane.

If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.

Fix Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Double-click the "Error Pages" icon.

Click each error message and click "Edit Feature" Setting from the "Actions" pane; set each error message to “Detailed errors for local requests and custom error pages for remote requests”.

References
CCI: CCI-001312: The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
NIST SP 800-53 :: SI-11 b
NIST SP 800-53A :: SI-11.1 (iii)
NIST SP 800-53 Revision 4 :: SI-11 a

we can do compliant or not compliant here

Rule Title: The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines.

Discussion: Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.

The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments.

Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS.

The ISSM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.

Check Text: Review the website to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

In the “Action” Pane, click “Bindings”.

Review the ports and protocols. If unknown ports or protocols are used, then this is a finding.

Fix Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

In the “Action” Pane, click “Bindings".

Edit to change an existing binding and set the correct ports and protocol.

References
CCI: CCI-001762: The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
NIST SP 800-53 Revision 4 :: CM-7 (1) (b)

Rule Title: The IIS 8.5 web server must restrict inbound connections from nonsecure zones.

Discussion: Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions.

A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.

Check Text: Note: This requirement applies to the Web Management Service. If the Web Management Service is not installed, this is Not Applicable.

Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Under "Management", double-click "Management Service".

If "Enable remote connections" is not selected, this is Not Applicable.

If "Enable remote connections" is selected, review the entries under "IP Address Restrictions".

Verify only known, secure IP ranges are configured as "Allow".

If "IP Address Restrictions" are not configured or IP ranges configured to be "Allow" are not restrictive enough to prevent connections from nonsecure zones, this is a finding.

Fix Text: Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Under "Management", double-click "Management Service".

Stop the Web Management Service under the "Actions" pane.

Configure only known, secure IP ranges are configured as "Allow".

Select "Apply" in "Actions" pane.

Restart the Web Management Service under the "Actions" pane.

References
CCI: CCI-002314: The information system controls remote access methods.
NIST SP 800-53 Revision 4 :: AC-17 (1)

Rule Title: The IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website.

Discussion: In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record storage capacity.

The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.

Check Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Access the IIS 8.5 web server IIS 8.5 Manager.

Under "IIS" double-click on the "Logging" icon.

In the "Logging" configuration box, determine the "Directory:" to which the "W3C" logging is being written.

Confirm with the System Administrator that the designated log path is of sufficient size to maintain the logging.

Under "Log File Rollover", verify the "Do not create new log files" is not selected.

Verify a schedule is configured to rollover log files on a regular basis.

Consult with the System Administrator to determine if there is a documented process for moving the log files off of the IIS 8.5 web server to another logging device.

If the designated logging path device is not of sufficient space to maintain all log files and there is not a schedule to rollover files on a regular basis, this is a finding.

Fix Text: Follow the procedures below for each site hosted on the IIS 8.5 web server:

Under "IIS" double-click on the "Logging" icon.

If necessary, in the "Logging" configuration box, redesignate a log path to a location able to house the logs.

Under "Log File Rollover", deselect the "Do not create new log files" setting.

Configure a schedule to rollover log files on a regular basis.

References
CCI: CCI-001849: The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements.
NIST SP 800-53 Revision 4 :: AU-4