{
"format_version": 3,
"policy": {
"external_id": "20588f0c067821ca7f35dbd0d35b1495",
"name": "CIS Microsoft IIS 10 Benchmark v1.2.1 - Level 1",
"version": "1.0.0",
"description": "CIS Level 1 hardening profile for Microsoft IIS 10 on Windows Server 2016/2019/2022. Directory browsing, WebDAV, forms-auth cookies, debug off, error page leakage, TRACE method, HSTS, SCHANNEL TLS protocol registry settings. Requires PowerShell with WebAdministration module on the agent.",
"author": "Center for Internet Security"
},
"tests": [
{
"external_id": "cb741046df11e5e828e593f568c0fad1",
"name": "1.3 — Ensure 'Directory browsing' is set to Disabled",
"description": "IIS directory browsing exposes the file system layout of a site to anonymous users.",
"rational": "Listing directory contents leaks naming conventions, helper files, and backups that aid further attacks.",
"remediation": "powershell -Command \"Set-WebConfigurationProperty -Filter '/system.webServer/directoryBrowse' -Name 'enabled' -Value $false -PSPath 'IIS:\\\\'\"",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-WebConfigurationProperty -Filter '/system.webServer/directoryBrowse' -Name 'enabled' -PSPath 'IIS:\\\\').Value\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "False"
}
],
"applicability": []
},
{
"external_id": "861b9f02b98e7da4e4dd2e3fe0814891",
"name": "1.7 — Ensure WebDAV feature is disabled",
"description": "The WebDAV publishing feature allows authoring of web content over HTTP.",
"rational": "WebDAV exposes additional verbs that have historically been the target of authentication-bypass and RCE exploits.",
"remediation": "powershell -Command \"Uninstall-WindowsFeature -Name Web-DAV-Publishing\"",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-WindowsFeature Web-DAV-Publishing).Installed\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "False"
}
],
"applicability": []
},
{
"external_id": "3348fa0e9da3b1bb148e71517b2722e6",
"name": "2.4 — Ensure 'forms authentication' is set to use cookies",
"description": "Forms-based auth tokens must be carried in cookies, not URLs.",
"rational": "URL-borne auth tokens leak via Referer, browser history, and proxy logs.",
"remediation": "Set under .",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-WebConfigurationProperty -Filter '/system.web/authentication/forms' -Name cookieless -PSPath 'MACHINE/WEBROOT/APPHOST').Value\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "UseCookies"
}
],
"applicability": []
},
{
"external_id": "8c308dd36fa96790d877fd0d8069643a",
"name": "3.2 — Ensure 'debug' is turned off",
"description": "ASP.NET debug compilation should be off in production.",
"rational": "Debug-compiled assemblies expose source paths and disable optimisations.",
"remediation": "Set in the application's web.config.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-WebConfigurationProperty -Filter '/system.web/compilation' -Name debug -PSPath 'MACHINE/WEBROOT/APPHOST').Value\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "False"
}
],
"applicability": []
},
{
"external_id": "7259f53e243de616016487346dae0a4a",
"name": "3.4 — Ensure IIS HTTP detailed errors are hidden from displaying remotely",
"description": "Detailed error pages can leak internal paths and stack traces to remote clients.",
"rational": "Limiting detailed errors to local requests prevents reconnaissance via induced errors.",
"remediation": "Set in applicationHost.config.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-WebConfigurationProperty -Filter '/system.webServer/httpErrors' -Name errorMode -PSPath 'MACHINE/WEBROOT/APPHOST').Value\"",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": "Detailed"
}
],
"applicability": []
},
{
"external_id": "e06073d67d538fedd474d6d93b8109e5",
"name": "4.6 — Ensure 'HTTP Trace Method' is disabled",
"description": "The HTTP TRACE method echoes requests and can be abused via cross-site tracing.",
"rational": "Disabling TRACE removes an avenue for credential exfiltration via reflected headers.",
"remediation": "Add a Request Filtering rule denying the TRACE verb in applicationHost.config.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-WebConfigurationProperty -Filter '/system.webServer/security/requestFiltering/verbs/add[@verb=\\\"TRACE\\\"]' -Name allowed -PSPath 'MACHINE/WEBROOT/APPHOST').Value\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "False"
}
],
"applicability": []
},
{
"external_id": "ad35d124c587e0c953493a993ec18b8a",
"name": "7.1 — Ensure HSTS Header is set",
"description": "HTTP Strict Transport Security forces clients to use HTTPS for the configured lifetime.",
"rational": "HSTS defeats SSL-stripping attacks against returning users.",
"remediation": "Add `` under customHeaders.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-WebConfigurationProperty -Filter '/system.webServer/httpProtocol/customHeaders/add[@name=\\\"Strict-Transport-Security\\\"]' -Name value -PSPath 'MACHINE/WEBROOT/APPHOST').Value\"",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "d1e6671b345c45b0c776f2c5aaf7cbf8",
"name": "7.2 — Ensure SSLv2 is Disabled",
"description": "SSLv2 is cryptographically broken and must be disabled.",
"rational": "Any client that negotiates SSLv2 can be trivially decrypted by an in-path attacker.",
"remediation": "Set HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Server!Enabled=0.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-ItemProperty 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\SCHANNEL\\\\Protocols\\\\SSL 2.0\\\\Server' -ErrorAction SilentlyContinue).Enabled\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "0"
}
],
"applicability": []
},
{
"external_id": "540e35dd5ad230411fc8486cfb8c9fe8",
"name": "7.3 — Ensure SSLv3 is Disabled",
"description": "SSLv3 is vulnerable to POODLE and must be disabled.",
"rational": "POODLE allows recovery of plaintext from SSLv3 sessions in a feasible number of requests.",
"remediation": "Set HKLM\\...\\Protocols\\SSL 3.0\\Server!Enabled=0.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-ItemProperty 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\SCHANNEL\\\\Protocols\\\\SSL 3.0\\\\Server' -ErrorAction SilentlyContinue).Enabled\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "0"
}
],
"applicability": []
},
{
"external_id": "692b91dc8625a9a81ea53a828f135dd8",
"name": "7.4 — Ensure TLS 1.0 is Disabled",
"description": "TLS 1.0 has known weaknesses (BEAST, RC4) and is deprecated.",
"rational": "PCI DSS and most modern compliance regimes require TLS 1.0 to be disabled.",
"remediation": "Set HKLM\\...\\Protocols\\TLS 1.0\\Server!Enabled=0.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-ItemProperty 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\SCHANNEL\\\\Protocols\\\\TLS 1.0\\\\Server' -ErrorAction SilentlyContinue).Enabled\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "0"
}
],
"applicability": []
},
{
"external_id": "debfb731640bca6e7fe2c24996065e01",
"name": "7.5 — Ensure TLS 1.1 is Disabled",
"description": "TLS 1.1 is deprecated and should be disabled in favour of TLS 1.2/1.3.",
"rational": "Browser and OS vendors have removed support for TLS 1.1; leaving it enabled only helps insecure clients.",
"remediation": "Set HKLM\\...\\Protocols\\TLS 1.1\\Server!Enabled=0.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-ItemProperty 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\SCHANNEL\\\\Protocols\\\\TLS 1.1\\\\Server' -ErrorAction SilentlyContinue).Enabled\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "0"
}
],
"applicability": []
},
{
"external_id": "befb01d8475bf18b176a4b87e1c6586d",
"name": "7.6 — Ensure TLS 1.2 is Enabled",
"description": "TLS 1.2 must be explicitly enabled because earlier Windows versions left it disabled by default.",
"rational": "Without TLS 1.2 enabled, clients cannot establish a secure connection with current ciphers.",
"remediation": "Set HKLM\\...\\Protocols\\TLS 1.2\\Server!Enabled=1 (DWORD).",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "powershell -NoProfile -Command \"(Get-ItemProperty 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\SCHANNEL\\\\Protocols\\\\TLS 1.2\\\\Server' -ErrorAction SilentlyContinue).Enabled\"",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "1"
}
],
"applicability": []
}
]
}