The Idle Time-out monitor for each IIS 8.5 website must be enabled.

From IIS 8.5 Site Security Technical Implementation Guide

Part of SRG-APP-000295-WSR-000012

Associated with: CCI-002361

SV-91535r1_rule The Idle Time-out monitor for each IIS 8.5 website must be enabled.

Vulnerability discussion

The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received.The purpose of this attribute is to conserve system resources; the default value for idle time-out is 20 minutes.By default, the World Wide Web (WWW) service establishes an overlapped recycle, in which the worker process to be shut down is kept running until after a new worker process is started.

Check content

Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the Application Pools. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "Process Model" section and verify the value for "Idle Time-out" is set to "20". If the "Idle Time-out" is not set to "20" or less, this is a finding.

Fix text

Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the Application Pools. Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "Process Model" section and set the value for "Idle Time-out" to "20" or less.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer