U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

IIS 6.0 STIG Version 6, Release 16 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Microsoft Internet Information Services 6.0 cpe:/a:microsoft:iis:6.0 (View CVEs)

Checklist Highlights

Checklist Name:
IIS 6.0 STIG
Checklist ID:
399
Version:
Version 6, Release 16
Type:
Compliance
Review Status:
Archived
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
10/31/2011

Checklist Summary:

Microsoft Internet Information Server (IIS) is a web server currently licensed and distributed to the DoD by the Microsoft Corporation. This STIG covers IIS version 6.0 running on Windows Server 2003. The web server must be configured to protect classified, unclassified, and/or restricted data, such as Personally Identifiable Information (PII), as well as data approved for public release. Immediate risks inherent to this role are external attacks and accidental exposure. Although security controls and infrastructure devices (such as, firewalls, intrusion detection systems, and baseline integrity checking tools) offer some defense against malicious activity, security for web servers is best achieved through implementing a comprehensive defense-indepth strategy. This strategy should include, but is not limited to, a server configuration to prevent system compromise; operational procedures for posting data to avoid accidental exposure; proper placement of the server within the network infrastructure; and the allowance or denial of Ports, Protocols, and Services (PPS) used to access the web server.

Checklist Role:

  • Web Server

Known Issues:

Not provided.

Target Audience:

This document is a requirement for all DoD-owned information systems and DoD-controlled information systems operated by a contractor and/or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification and/or sensitivity.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

This STIG covers IIS version 6.0 running on Windows Server 2003.

Regulatory Compliance:

DoD Directive 8500.1

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Microsoft Internet Information Server (IIS) is a web server currently licensed and distributed to the DoD by the Microsoft Corporation.

Change History:

Version 6, Release 14 - 30 October 2014
Updated status to "Final" - 07 January 2015
Updated "Point of Contact" - 15 January 2015
Version 6, Release 15 - 23 January 2015
Updated URL to reflect change to the DISA website - http --> https
moved to archive status - 4/15/19
Updated URLs - 6/7/19
updated URLs - 9/11/19

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 09/11/2019