|
|
|
|
 |
|
Web SSR Checklist IIS
|
Name |
Web IIS Checklist V6R0.1 |
|
Version |
Version 6, Release 1.3 |
|
Status |
Under Review |
| Creation
Date |
Unknown |
| Revision
Date |
2007-05-30 |
| Product
Category |
Web Site Server |
| Vendor |
Microsoft |
| Product |
Microsoft Internet Information Server 5.0
Microsoft Internet Information Server 5.1
Microsoft Internet Information Server 6.0 |
| Product
Version |
Not Applicable. |
| Product
Role |
Web Site Server |
|
Checklist
Summary |
This group of checklists covers valuable security-related information for the Microsoft Internet Information Server (IIS). It includes procedures to perform a Security Readiness Review (SRR). Security items covered are based on the Web Server Secure Technology Implementation Guide (STIG) published by DISA. The reviewer will apply Systems Administration knowledge and have familiarity with IIS and Windows operating environments. Windows server experience is beneficial. Users of this checklist will need to be able to navigate NT file systems and have an understanding of its security features.
This web server checklist targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or that may lead to the interruption of production operations. The documentation provides procedures for assessing Internet Information Server. The document is broken into the following sections:
Section 1: Contains specific product requirements for an IIS that were not addressed in the Web Server Secure Technology Implementation Guide (STIG) [http://iase.disa.mil/stigs/stig/index.html].
Section 2: Is not applicable to assessing IIS, but is specific to clients of the DISA VMS database.
Section 3: Provides configuration information for IIS 5.0 web server installations focusing on registry edits, patch management, limiting unnecessary protocols, services, and COM components, backing up data, and the Microsoft Management Console (MMC) settings.
Section 4: Provides configuration information for IIS 5.0 in the areas of indexing, mitigating buffer overflows, scripting, encryption, and configuration of log files.
Section 5: Provides configuration information for IIS 6.0 web server installations focusing on patch management, limiting unnecessary protocols, services, and COM components, backing up data, and a heavy focus on registry edits.
Section 6: Provides configuration information for IIS 6.0 in the areas of indexing, mitigating buffer overflows, scripting, encryption, and configuration of log files.
Note: Specific assessment procedures and information for assessing IIS can be found in all other sections of this checklist bundle, some of which is question-answer oriented. |
| Known
Issues |
Not Applicable. |
| Target
Audience |
Developed by DISA for the DOD. This document is intended for those responsible
for the configuration and management of information systems. It assumes that the
reader has knowledge of web servers and is familiar with common computer terminology. |
| Target
Operational Environment |
Enterprise and Specialized Security-Limited Functionality. |
| Checklist
Installation Tools |
URLScan |
| Rollback
Capability |
Not Applicable. |
| Testing
Information |
Not Available. |
| NIAP/CMVP
Status |
Not Available. |
| Regulatory
Compliance |
DOD Directive 8500.2, DOD Directive 8520.2 |
Comments,
Warnings, Disclaimer, Miscellaneous
|
Please refer to the Checklist. |
| Disclaimer |
Not Available. |
| Product
Support |
Only available to DOD customers. |
| Submitting
Organization/Authors |
Defense Information Systems Agency (DISA) |
| Point
of Contact |
Not Available. |
| Sponsor |
Not Available. |
| Licensing |
Not Available. |
| Checklist
Homepage |
http://iase.disa.mil/stigs/checklist/index.html |
| Download
Package |
http://iase.disa.mil/stigs/checklist/
Web_SRR_Checklist_IIS_V6R1-3.zip |
| Integrity |
Sha1 (Web_SRR_Checklist_IIS_V6R1-3.zip) =
14321494437b8829e689b7695c25c9e5ede9e25c
Sha256 (Web_SRR_Checklist_IIS_V6R1-3.zip) =
04d660cc89d96fc2f3f91ed8c7a6ab7f398bbe60b
fdf44b08755f695832b5cc6 |
| Change
History |
Version 6, Release 1.2; 2007-04
Version 6, Release 1.3; 2007-05-30
|
| Dependency/Requirement |
Web IIS Checklist V6R0.1 |
| References |
The following table enumerates the documents and resources consulted:
DOD Directive 8500.2, Information Assurance (IA). 6 February 2003
DOD Directive 8520.2, Information Assurance (IA). 1 April 2004 |
| NIST
Identifier |
1117 |
|
| |
|
|
NIST and the checklist submitter do not guarantee or warrant June 4, 2007 not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
