The IIS 8.5 web server must only contain functions necessary for operation.

From IIS 8.5 Server Security Technical Implementation Guide

Associated with: CCI-000381

SV-91397r1_rule The IIS 8.5 web server must only contain functions necessary for operation.

Vulnerability discussion

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Check content

Click on “Start”. Open Control Panel. Click on “Programs”. Click on “Programs and Features”. Review the installed programs, if any programs are installed other than those required for the IIS 8.5 web services, this is a finding. Note: If additional software is needed supporting documentation must be signed by the ISSO.

Fix text

Remove all unapproved programs and roles from the production IIS 8.5 web server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.