# (C) 2016-2017 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.8 $ # $Date: 2017/02/07 $ # # description : This .audit is designed against the CIS Security Configuration # Benchmark For Microsoft IIS 7.0/7.5 Version 1.7.1 March 17, 2016. # # NOTE : The audits contained in this document audit are for Level 1 items # of the CIS Microsoft IIS 7.0 benchmark. # type : REGISTRY_SETTING description : "Windows IIS is installed - Major Version - 7" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Inetstp" reg_item : "MajorVersion" value_data : 7 type : REGISTRY_SETTING description : "Windows IIS is installed - Minor Version - 0" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Inetstp" reg_item : "MinorVersion" value_data : 0 description : "CIS Security Benchmark For Microsoft IIS 7.0 v1.7.1 Level I." see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" # ## 1.1 Basic Configurations # type : WMI_POLICY description : "1.1.1 Ensure Web Content Is on Non-System Partition" info : "Isolating web content from system files may reduce the probability of: Web sites/applications exhausting system disk space ob体育 IO vulnerability in the web site/application from affecting the confidentiality and/or integrity of system files" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "browse to web content in c:\inetpub\wwwroot\ copy or cut content onto a dedicated and restricted web folder on a non-system drive such as d:\webroot\ change mappings for any applications or virtual directories to reflect the new location to change the mapping for the application named app1 which resides under the default web site, open iis manager: expand the server node expand sites expand default web site click on app1 in the actions pane, select basic settings in the physical path text box, put the new location of the application, d:\wwwroot\app1 in the example above" value_type : POLICY_TEXT wmi_namespace : "root/WebAdministration" wmi_request : "SELECT PhysicalPath FROM VirtualDirectory" wmi_attribute : "PhysicalPath" wmi_key : "PhysicalPath" value_data : "%systemdrive%\inetpub\wwwroot" check_type : CHECK_NOT_EQUAL type : AUDIT_IIS_APPCMD description : "1.1.2 Require Host Headers on all Sites" info : "Requiring a Host header for all sites may reduce the probability of: DNS rebinding attacks successfully compromising or abusing site data or functionality [2] IP-based scans successfully identifying or interacting with a target application hosted on IIS" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Obtain a listing of all sites by using the following appcmd.exe command: %systemroot%\system32\inetsrv\appcmd list sites Perform the following in IIS Manager to configure host headers for the Default Web Site: Open IIS Manager In the Connections pane expand the Sites node and select Default Web Site In the Actions pane click Bindings In the Site Bindings dialog box, select the binding for which host headers are going to be configured, Port 80 in this example Click Edit Under host name, enter the sites FQDN, such as <www.examplesite.com> Click OK, then Close Note: Requiring a host header may impair site functionality for HTTP/1.0 clients." value_type : POLICY_TEXT appcmd_args : "list sites" value_data : '((http|https|ftp)\/\*:[0-9]+:[A-Za-z0-9\._-]+[|,])+' only_show_cmd_output : YES check_type : CHECK_REGEX type : WMI_POLICY description : "1.1.3 Disable Directory Browsing" info : "Ensuring that directory browsing is disabled may reduce the probability of disclosing sensitive content that is inadvertently accessible via IIS." reference : "800-53|AC-6,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Directory Browsing can be set by using the UI, running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts. To disable directory browsing at the server level using an appcmd.exe command: %systemroot%\system32\inetsrv\appcmd set config /section:directoryBrowse /enabled:false" value_type : POLICY_DWORD wmi_namespace : "root/WebAdministration" wmi_request : "SELECT Enabled FROM DirectoryBrowseSection" wmi_attribute : "Enabled" wmi_key : "Enabled" value_data : 0 type : AUDIT_IIS_APPCMD description : "1.1.6 Configure Anonymous User Identity to Use Application Pool Identity" info : "Configuring the anonymous user identity to use the application pool identity will help ensure site isolation - provided sites are set to use the application pool identity. Since a unique principal will run each application pool, it will ensure the identity is least privilege. Additionally, it will simplify Site management." reference : "800-53|AC-6,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "The Anonymous User Identity can be set to Application Pool Identity by using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the username attribute of the anonymousAuthentication node in the IIS Manager GUI: Open the IIS Manager GUI and navigate to the desired server, site, or application In Features View, find and double-click the Authentication icon Select the Anonymous Authentication option and in the Actions pane select Edit... Choose Application pool identity in the modal window and then press the OK button." value_type : POLICY_TEXT appcmd_args : "list config -section:anonymousAuthentication" value_data : 'userName[\\s]*=[\\s]*""' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.2.1 Configure Global Authorization Rule to Restrict Access - remove users='*'" info : "Configuring a global Authorization rule that restricts access will ensure inheritance of the settings down through the hierarchy of web directories; if that content is copied elsewhere, the authorization rules flow with it. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of accidental or unauthorized access." reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ITSG-33|AC-3,LEVEL|1NS,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "To configure URL Authorization at the server level using IIS Manager: 1. Connect to Internet Information Services (IIS Manager) 2. Select the server 3. Select Authorization Rules 4. Remove the 'Allow All Users' rule 5. Click Add Allow Rule... 6. Allow access to the user(s), user groups, or roles that are authorized across all of the web sites and applications (e.g. the Administratorsgroup)" value_type : POLICY_TEXT appcmd_args : "list config -section:system.webServer/security/authorization" value_data : 'add[\\s]+accessType="Deny"[\\s]+users="*"' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.2.1 Configure Global Authorization Rule to Restrict Access - add roles='administrators'" info : "Configuring a global Authorization rule that restricts access will ensure inheritance of the settings down through the hierarchy of web directories; if that content is copied elsewhere, the authorization rules flow with it. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of accidental or unauthorized access." reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ITSG-33|AC-3,LEVEL|1NS,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "To configure URL Authorization at the server level using IIS Manager: 1. Connect to Internet Information Services (IIS Manager) 2. Select the server 3. Select Authorization Rules 4. Remove the 'Allow All Users' rule 5. Click Add Allow Rule... 6. Allow access to the user(s), user groups, or roles that are authorized across all of the web sites and applications (e.g. the Administratorsgroup)" value_type : POLICY_TEXT appcmd_args : "list config -section:system.webServer/security/authorization" value_data : 'add[\\s]+accessType="Allow"[\\s]+roles="administrators"' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only" info : "Configuring authentication will help mitigate the risk of unauthorized users accessing data and/or services, and in some cases reduce the potential harm that can be done to a system." reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,ITSG-33|AC-6,LEVEL|1NS,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Enabling authentication can be performed by using the user interface (UI), running AppCmd.exe commands in a command-line window, editing configuration files directly, or by writing WMI scripts. To verify an authentication mechanism is in place for sensitive content using the IIS Manager GUI: 1. Open IIS Manager and navigate to level with sensitive content 2. In Features View, double-click Authentication 3. On the Authentication page, make sure an authentication module is enabled, while anonymous authentication is enabled (Forms Authentication can have anonymous as well) 4. If necessary, select the desired authentication module, then in the Actions pane, click Enable Note: When configuring an authentication module for the first time, each mechanism must be further configured before use." value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/authentication" value_data : " type : AUDIT_IIS_APPCMD description : "1.2.3 Require SSL in Forms Authentication" info : "Requiring SSL for Forms Authentication will protect the confidentiality of credentials during the login process, helping mitigate the risk of stolen user information." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Open IIS Manager and navigate to the appropriate tier In Features View, double-click Authentication On the Authentication page, select Forms Authentication In the Actions pane, click Edit Check the Requires SSL checkbox in the cookie settings section, click OK" value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/authentication /text:*" value_data : 'requireSSL[\\s]*:[\\s]*"[Tt][Rr][Uu][Ee]"' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.2.5 Configure Cookie Protection Mode for Forms Authentication" info : "By encrypting and validating the cookie, the confidentiality and integrity of data within the cookie is assured. This helps mitigate the risk of attacks such as session hijacking and impersonation." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Cookie protection mode can be configured by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts. Using IIS Manager: Open IIS Manager and navigate to the level where Forms Authentication is enabled In Features View, double-click Authentication On the Authentication page, select Forms Authentication In the Actions pane, click Edit In the Cookie settings section, verify the drop-down for Protection mode is set for Encryption and validation" value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/authentication /text:*" value_data : 'protection[\\s]*:[\\s]*"[Aa][Ll][Ll]"' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.2.8 Ensure passwordFormat Credentials Element Not Set To Clear" info : "Authentication credentials should always be protected to reduce the risk of stolen authentication credentials." reference : "800-53|IA-5,CSCv6|16.13,CSCv6|16.14,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,800-171|3.5.10,CSF|PR.AC-1,ITSG-33|IA-5,TBA-FIISB|26.1,800-171|3.5.7,800-171|3.5.8,800-171|3.5.9,LEVEL|1S,PCI-DSS|8.4" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Authentication mode is configurable at the machine.config, root-level web.config, or application-level web.config: Locate and open the configuration file where the credentials are stored Find the <credentials> element If present, ensure passwordFormat is not set to Clear Change passwordFormat to SHA1 or MD5 The clear text passwords will need to be replaced with the appropriate hashed version." value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/authentication /text:*" value_data : 'passwordFormat *: *"([Ss][Hh][Aa]1|[Mm][Dd]5)"' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.3.1 Set Deployment Method to Retail" info : "Utilizing the switch specifically intended for production IIS servers will eliminate the risk of vital application and system information leakages that would otherwise occur if tracing or debug were to be left enabled, or customErrors were to be left off." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Open the machine.config file located in: %windir%\Microsoft.NET\Framework\\CONFIG Add the line within the section If systems are 64-bit, do the same for the machine.config located: %windir%\Microsoft.NET\Framework64\\CONFIG" value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/deployment /text:retail" value_data : "true" type : AUDIT_IIS_APPCMD description : "1.3.4 ASP.NET stack tracing is Not Enabled" info : "In an active Web Site, tracing should not be enabled because it can display sensitive configuration and detailed stack trace information to anyone who views the pages in the site. If necessary, the localOnly attribute can be set to true to have trace information displayed only for localhost requests. Ensuring that ASP.NET stack tracing is not on will help mitigate the risk of malicious persons learning detailed stack trace information." reference : "800-53|SI-11,ITSG-33|SI-11,LEVEL|1S,PCI-DSS|2.2.4" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "1) Ensure is enabled in the machine.config. 2) Remove all attribute references to ASP.NET tracing by deleting the trace and trace enable attributes. Per Page: Remove any references to: Trace='true' Per Application: Remove any references to: ... ... " value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/trace /text:*" value_data : '^[\\s]*enabled[\\s]*:[\\s]*"[\\s]*[Ff][Aa][Ll][Ss][Ee][\\s]*"' check_type : CHECK_NOT_REGEX type : AUDIT_IIS_APPCMD description : "1.3.7 Configure MachineKey Validation Method - .Net 3.5" info : "Setting the validation property to AES will provide confidentiality and integrity protection to the viewstate. AES is the strongest encryption algorithm supported by the validation property. Setting the validation property to SHA1 will provide integrity protection to the viewstate. SHA1 is the strongest hashing algorithm supported by the validation property." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1NS,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Machine key encryption can be set by using the UI, running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts. To set the Machine Key encryption at the global level using an appcmd.exe command: %systemroot%\system32\inetsrv\appcmd set config /commit:WEBROOT /section:machineKey /validation:SHA1 Note: When Appcmd.exe is used to configure the element at the global level in IIS 7.0, the /commit:WEBROOT switch must be included so that configuration changes are made to the root web.config file instead of ApplicationHost.config." value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/machineKey /text:validation" value_data : '[Ss][Hh][Aa]1' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.3.8 Configure MachineKey Validation Method - .Net 4.5" info : "SHA-2 is the strongest hashing algorithm supported by the validation property so it should be used as the validation method for the MachineKey in .Net 4.5." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1NS,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Machine key encryption can be set by using the UI, running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts. To set the Machine Key encryption at the global level using an appcmd.exe command: %systemroot%\system32\inetsrv\appcmd set config /commit:WEBROOT /section:machineKey /validation:SHA1 Note: When Appcmd.exe is used to configure the element at the global level in IIS 7.0, the /commit:WEBROOT switch must be included so that configuration changes are made to the root web.config file instead of ApplicationHost.config." value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/machineKey /text:validation" value_data : '[Hh][Mm][Aa][Cc][Ss][Hh][Aa]256' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.3.9 Configure Global .NET Trust Level" info : "The CAS determines the permissions that are granted to the application on the server. Setting a minimal level of trust that is compatible with the applications will limit the potential harm that a compromised application could cause to a system." reference : "800-53|AC-6,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1NS,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Trust level can be set by using the UI, running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts. To set the .Net Trust Level to Medium at the server level using an appcmd.exe command: %systemroot%\system32\inetsrv\appcmd set config /commit:WEBROOT /section:trust /level:Medium Note: When Appcmd.exe is used to configure the element at the global level in IIS 7.0, the /commit:WEBROOT switch must be included so that configuration changes are made to the root web.config file instead of ApplicationHost.config. The machine.config file can contain a location tag to override allowing this to be set at the web.config level. If this is done, web.config files that specify a trust level will cause the site to break. To implement this configuration, add the following to the machine.config file. " value_type : POLICY_TEXT appcmd_args : "list config -section:system.web/trust /text:level" value_data : "[Mm][Ee][Dd][Ii][Uu][Mm]" check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.3.10 Hide IIS HTTP Detailed Errors from Displaying Remotely" info : "The information contained in custom error messages can provide clues as to how applications function, opening up unnecessary attack vectors. Ensuring custom errors are never displayed remotely can help mitigate the risk of malicious persons obtaining information as to how the application works." reference : "800-53|SI-11,ITSG-33|SI-11,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "The following describes how to change the errorMode attribute to DetailedLocalOnly or Custom for a Web site by using IIS Manager: Open IIS Manager with Administrative privileges In the Connections pane on the left, expand the server, then expand the Sites folder Select the Web site or application to be configured In Features View, select Error Pages, in the Actions pane, select Open Feature In the Actions pane, select Edit Feature Settings In the Edit Error Pages Settings dialog, under Error Responses, select either Custom error pages or Detailed errors for local requests and custom error pages for remote requests Click OK and exit the Edit Error Pages Settings dialog" value_type : POLICY_TEXT appcmd_args : "list config -section:httpErrors /text:errorMode" value_data : "[Dd][Ee][Tt][Aa][Ii][Ll][Ee][Dd][Ll][Oo][Cc][Aa][Ll][Oo][Nn][Ll][Yy]" check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.4.5 Ensure Double-Encoded Requests will be Rejected" info : "This feature will help prevent attacks that rely on URLs that have been crafted to contain double-encoded request(s)." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "The allowDoubleEscaping Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI: Open Internet Information Services (IIS) Manager In the Connections pane, select the site, application, or directory to be configured In the Home pane, double-click Request Filtering Click Edit Feature Settings... in the Actions pane Under the General section, uncheck Allow double escaping If a file name in a URL includes '+' then allowDoubleEscaping must be set to true to allow functionality." value_type : POLICY_TEXT appcmd_args : "list config -section:requestFiltering /text:*" value_data : '^[\\s]*allowDoubleEscaping[\\s]*:[\\s]*"[Ff][Aa][Ll][Ss][Ee]"[\\s]*$' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.4.6 Disallow Unlisted ob体育 Extensions" info : "Disallowing all but the necessary file extensions can greatly reduce the attack surface of applications and servers." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,PCI-DSS|2.2.4" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "The allowUnlisted Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure at the server level using the IIS Manager GUI: Open Internet Information Services (IIS) Manager In the Connections pane, select the server In the Home pane, double-click Request Filtering Click Edit Feature Settings... in the Actions pane Under the General section, uncheck Allow unlisted file name extensions To set this Request Filter using an AppCmd.exe command, run the following command at an elevated command prompt: %windir%\system32\inetsrv\appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:false" value_type : POLICY_TEXT appcmd_args : "list config -section:requestFiltering /text:*" value_data : '^[\\s]*allowUnlisted[\\s]*:[\\s]*"[Ff][Aa][Ll][Ss][Ee]"[\\s]*$' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.4.7 Ensure Handler is not granted Write and Script/Execute" info : "By allowing both Execute/Script and Write permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server." reference : "800-53|AC-6,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "The accessPolicy attribute in the section of either the ApplicationHost.config (server-wide) or web.config (site or application) must not have Write present when Script or Execute are present. To resolve this issue for a Web server, the attribute in the section of the ApplicationHost.config file for the server must manually be edited. To edit the ApplicationHost.config file by using Notepad, perform the following steps: Open Notepad as Administrator Open the ApplicationHost.config file in %windir%\system32\inetsrv\config Edit the section accessPolicy attribute so that Write is not present when Script or Execute are present Note: This configuration change cannot be made by using IIS Manager." value_type : POLICY_TEXT appcmd_args : "list config -section:handlers /text:accessPolicy" value_data : '[Rr][Ee][Aa][Dd]' check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.4.8 Ensure Configuration Attribute notListedIsapisAllowed set to false" info : "Restricting this attribute to false will help prevent potentially malicious ISAPI extensions from being run." reference : "800-53|SC-18,800-171|3.13.13,CSF|DE.CM-5,ITSG-33|SC-18,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "To use IIS Manager to set the notListedIsapisAllowed attribute to false: Open IIS Manager as Administrator In the Connections pane on the left, select server to be configured In Features View, select ISAPI and CGI Restrictions; in the Actions pane, select Open Feature In the Actions pane, select Edit Feature Settings In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified ISAPI modules check box, if checked Click OK" value_type : POLICY_TEXT appcmd_args : "list config -section:isapiCgiRestriction /text:notListedIsapisAllowed" value_data : "[Ff][Aa][Ll][Ss][Ee]" check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.4.9 Ensure Configuration Attribute notListedCgisAllowed set to false" info : "Restricting this attribute to false will help prevent unlisted CGI extensions, including potentially malicious CGI scripts from being run." reference : "800-53|SC-18,800-171|3.13.13,CSF|DE.CM-5,ITSG-33|SC-18,LEVEL|1NS,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "To set the notListedCgisAllowed attribute to false using IIS Manager: Open IIS Manager as Administrator In the Connections pane on the left, select the server to configure In Features View, select ISAPI and CGI Restrictions; in the Actions pane, select Open Feature In the Actions pane, select Edit Feature Settings In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified CGI modules check box Click OK" value_type : POLICY_TEXT appcmd_args : "list config -section:isapiCgiRestriction /text:notListedCgisAllowed" value_data : "[Ff][Aa][Ll][Ss][Ee]" check_type : CHECK_REGEX type : AUDIT_IIS_APPCMD description : "1.4.10 Disable HTTP Trace Method" info : "Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. This risk can be mitigated by not allowing the TRACE verb." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "Open Internet Information Services (IIS) Manager In the Connections pane, select the site, application, or directory to be configured In the Home pane, double-click Request Filtering In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb... in the Actions pane In the Deny Verb dialog box, enter the TRACE, and then click OK" value_type : POLICY_TEXT appcmd_args : "list config -section:requestFiltering" value_data : ' type : AUDIT_IIS_APPCMD description : "1.5.1 Move Default IIS Web Log Location" info : "Moving IIS logging to a restricted, non-system drive will help mitigate the risk of logs being maliciously altered, removed, or lost in the event of system drive failure(s)." reference : "800-53|AU-9,800-171|3.3.8,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,LEVEL|1S,PCI-DSS|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "moving the default log location can be easily accomplished using the logging feature in the iis management ui or appcmd.exe. to change to d:\logfiles using appcmd.exe: %windir%\system32\inetsrv\appcmd set config -section:sites -sitedefaults.logfile.directory:'d:\logfiles' moving log file stores to a non-system drive or partition separate from where web applications run and/or content is served is preferred. additionally, folder-level ntfs permissions should be set as restrictive as possible; administrators and system are typically the only principals requiring access. note: while standard iis logs can be moved and edited using iis manager, additional management tool add-ons are required in order to manage logs generated by other iis features, such as request filtering and iis advanced logging. these add-ons can be obtained using the web platform installer or from microsoft's site. the httperr logging location can be changed by adding a registry key" value_type : POLICY_TEXT appcmd_args : "list config -section:sites /text:siteDefaults.logfile.directory" value_data : "%systemdrive%\inetpub\logs\Logob体育s" check_type : CHECK_NOT_EQUAL type : FILE_CHECK description : "1.5.2 Enable Advanced IIS Logging" info : "Many of the fields available in Advanced Logging many can provide extensive, real-time data and details not otherwise obtainable. Developers and security professionals can use this information to identify and remediate application vulnerabilities/attack patterns." reference : "800-53|AU-9,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.3.8,800-171|3.3.9,CSF|PR.PT-1,ITSG-33|AU-9,LEVEL|1S,PCI-DSS|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "IIS Advanced Logging can be configured for servers, Web sites, and directories in IIS Manager. To enable Advanced Logging using the UI: Open Internet Information Services (IIS) Manager Click the server in the Connections pane Double-click the Advanced Logging icon on the Home page Click Enable Advanced Logging in the Actions pane The fields that will be logged need to be configured using the Edit Logging Fields action. As with IIS's standard log files, their location should be changed. Note: There may be performance considerations depending on the extent of the configuration." value_type : POLICY_TEXT # Note: Variable @LOG_FILES@ replaced with "C:\\inetpub\\logs\\AdvancedLogs" in field "# Note". # Note: Variable C:\\inetpub\\logs\\AdvancedLogs replaced with "C:\\inetpub\\logs\\AdvancedLogs" in field "value_data". value_data : "C:\\inetpub\\logs\\AdvancedLogs" file_option : MUST_EXIST type : REGISTRY_SETTING description : "1.7.1 Disable PCT 1.0 - 'Enabled = 0'" info : "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "perform the following to disable pct 1.0: 1. set the following key to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server\enabled 2. set the following key to 1. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server\disabledbydefault" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Protocols\Pct 1.0\Server" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.1 Disable PCT 1.0 - 'DisabledByDefault = 1'" info : "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "perform the following to disable pct 1.0: 1. set the following key to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server\enabled 2. set the following key to 1. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server\disabledbydefault" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Protocols\Pct 1.0\Server" reg_item : "DisabledByDefault" reg_type : REG_DWORD value_data : 1 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.2 Disable SSLv2 - 'DisabledByDefault = 1'" info : "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "perform the following to disable ssl 2.0: 1. set the following key to 1. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server\disabledbydefault 2. set the following key is to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Protocols\Ssl 2.0\Server" reg_item : "DisabledByDefault" reg_type : REG_DWORD value_data : 1 reg_option : CAN_NOT_BE_NULL type : REGISTRY_SETTING description : "1.7.2 Disable SSLv2 - 'Enabled = 0'" info : "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "perform the following to disable ssl 2.0: 1. set the following key to 1. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server\disabledbydefault 2. set the following key is to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Protocols\Ssl 2.0\Server" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_NOT_BE_NULL type : REGISTRY_SETTING description : "1.7.3 Disable SSLv3 - 'Enabled = 0'" info : "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "perform the following to disable ssl 3.0: 1. set the following key to 1. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server\disabledbydefault 2. set the following keyto 0. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Protocols\Ssl 3.0\Server" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_NOT_BE_NULL type : REGISTRY_SETTING description : "1.7.3 Disable SSLv3 - 'DisabledByDefault = 1'" info : "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "perform the following to disable ssl 3.0: 1. set the following key to 1. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server\disabledbydefault 2. set the following keyto 0. hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Protocols\Ssl 3.0\Server" reg_item : "DisabledByDefault" reg_type : REG_DWORD value_data : 1 reg_option : CAN_NOT_BE_NULL type : REGISTRY_SETTING description : "1.7.4 Configure TLS 1.0 - 'DisabledByDefault = 1'" info : "Enabling this protocol will help ensure the confidentiality and integrity of data in transit. This recommendation is Not Scored for the IIS 7.5 profile as Windows Server 2008 R2 and IIS 7.5 support TLS 1.2, which is recommended protocol for that platform." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "perform the following to enable tls 1.0: 1. set the following key to 0 hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server\enabled 2. set the following key to 1 hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server\disabledbydefault" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Protocols\Tls 1.0\Server" reg_item : "DisabledByDefault" reg_type : REG_DWORD value_data : 1 reg_option : CAN_NOT_BE_NULL type : REGISTRY_SETTING description : "1.7.4 Disable TLS 1.0 - 'Enabled = 0'" info : "Enabling this protocol will help ensure the confidentiality and integrity of data in transit. This recommendation is Not Scored for the IIS 7.5 profile as Windows Server 2008 R2 and IIS 7.5 support TLS 1.2, which is recommended protocol for that platform." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "perform the following to disable tls 1.0: 1. set the following key to 1 hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server\enabled 2. set the following key to 1 hklm\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server\disabledbydefault" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Protocols\Tls 1.0\Server" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_NOT_BE_NULL type : REGISTRY_SETTING description : "1.7.7 Disable NULL Cipher Suites" info : "By disabling the NULL cipher, there is a better chance of maintaining data confidentiality and integrity." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "To disable the NULL cipher, ensure the following key is absent. If the key is present, ensure it is set to 0. HKLM System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\Enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Null" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.8 Disable DES Cipher Suites" info : "By disabling DES, there is a better chance of maintaining data confidentiality and integrity." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to disable des 56/56, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\des 56/56\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Des 56/56" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.9 Disable RC2 Cipher Suites - 'RC2 40/128'" info : "By disabling RC2, there is a better chance of maintaining data confidentiality and integrity." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to disable rc2 40/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc2 40/128\enabled to disable rc2 56/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc2 56/128\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Rc2 40/128" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.9 Disable RC2 Cipher Suites - 'RC2 56/128'" info : "By disabling RC2, there is a better chance of maintaining data confidentiality and integrity." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to disable rc2 40/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc2 40/128\enabled to disable rc2 56/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc2 56/128\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Rc2 56/128" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.10 Disable RC4 Cipher Suites - 'RC4 40/128'" info : "The use of RC4 may increase an adversaries ability to read sensitive information sent over SSL/TLS." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to disable rc4 40/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm \system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 40/128\enabled to disable rc4 56/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 56/128\enabled to disable rc4 64/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 64/128\enabled to disable rc4 128/128, ensure the following key is set to 0. rc4 128/128 is not enabled by default on server 2008 sp2 but is enabled by default on r2. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 128/128\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Rc4 40/128" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.10 Disable RC4 Cipher Suites - 'RC4 56/128'" info : "The use of RC4 may increase an adversaries ability to read sensitive information sent over SSL/TLS." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to disable rc4 40/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm \system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 40/128\enabled to disable rc4 56/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 56/128\enabled to disable rc4 64/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 64/128\enabled to disable rc4 128/128, ensure the following key is set to 0. rc4 128/128 is not enabled by default on server 2008 sp2 but is enabled by default on r2. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 128/128\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Rc4 56/128" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.10 Disable RC4 Cipher Suites - 'RC4 64/128'" info : "The use of RC4 may increase an adversaries ability to read sensitive information sent over SSL/TLS." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to disable rc4 40/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm \system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 40/128\enabled to disable rc4 56/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 56/128\enabled to disable rc4 64/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 64/128\enabled to disable rc4 128/128, ensure the following key is set to 0. rc4 128/128 is not enabled by default on server 2008 sp2 but is enabled by default on r2. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 128/128\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Rc4 64/128" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.10 Disable RC4 Cipher Suites - 'RC4 128/128'" info : "The use of RC4 may increase an adversaries ability to read sensitive information sent over SSL/TLS." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to disable rc4 40/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm \system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 40/128\enabled to disable rc4 56/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 56/128\enabled to disable rc4 64/128, ensure the following key is absent. if the key is present, ensure it is set to 0. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 64/128\enabled to disable rc4 128/128, ensure the following key is set to 0. rc4 128/128 is not enabled by default on server 2008 sp2 but is enabled by default on r2. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\rc4 128/128\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Rc4 128/128" reg_item : "Enabled" reg_type : REG_DWORD value_data : 0 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.11 Configure Triple DES Cipher Suites" info : "This item is Not Scored for the following reasons: Enabling AES 256/256 is recommended. This cipher does not suffer from known practical attacks." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1NS" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to enable triple des 168/168, ensure the following key is set to 0xffffffff. the triple des 168/168 cipher is not enabled by default on server 2008 sp2 and is enabled by default on server 2008 r2. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\triple des 168/168\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Triple Des 168/168" reg_item : "Enabled" reg_type : REG_DWORD value_data : 4294967295 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.12 Configure AES 128/128 Cipher Suite" info : "This item is Not Scored for the following reasons: Enabling AES 256/256 is recommended. This cipher does not suffer from known practical attacks." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1NS" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to enable aes 128/128, ensure the following key is set to 0xffffffff: hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\aes 128/128\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Aes 128/128" reg_item : "Enabled" reg_type : REG_DWORD value_data : 4294967295 reg_option : CAN_BE_NULL type : REGISTRY_SETTING description : "1.7.13 Enable AES 256/256 Cipher Suite" info : "Enabling this cipher will help ensure the confidentiality and integrity of data in transit." reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,TBA-FIISB|29.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf" solution : "to enable aes 256/256, ensure the following key is set to 0xffffffff. hklm\system\currentcontrolset\control\securityproviders\schannel\ciphers\aes 256/256\enabled" value_type : POLICY_DWORD reg_key : "HKLM\System\Currentcontrolset\Control\Securityproviders\Schannel\Ciphers\Aes 256/256" reg_item : "Enabled" reg_type : REG_DWORD value_data : 4294967295 reg_option : CAN_BE_NULL description : "Windows IIS 7.0 is not installed" info : "Windows IIS 7.0 is not installed or the Remote Registry Service is disabled." see_also : "https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf"