OCA Area Detail - Web Server

Back to Reports

Web Server

IIS, Apache, web applications

No Downgrade

35.5%

Combined Weighted Score

Score Breakdown

5 / 14

CAT I Open / Total

35.7% open rate (weight: 10)

61 / 195

CAT II Open / Total

31.3% open rate (weight: 4)

3 / 6

CAT III Open / Total

50.0% open rate (weight: 1)

Percentages are open-rate values (`Open / Total`). Closed/compliance rate is `100% - open rate`.

Checklist Files Contributing to This Area (12)

These hostname + STIG combinations are mapped to this assessment area

Checklist File	Hostname	STIG Benchmark	Version	Actions
MONT-DP-001_IIS10Site_Default_Web_Site_V2R12_20251023-143912.ckl	MONT-DP-001	Microsoft IIS 10.0 Site Security Technical Implementation Guide	V2R12 Outdated: Latest V2R15	Edit
MONT-DP-001_IIS10Site_Default_Web_Site_V2R12_20251023-143912.ckl	MONT-DP-001	Microsoft IIS 10.0 Site Security Technical Implementation Guide	V2R15	Edit
MONT-DP-001_IIS10Server_V3R4_20251023-143809.ckl	MONT-DP-001	Microsoft IIS 10.0 Server Security Technical Implementation Guide	V3R7	Edit
MONT-DP-001_IIS10Server_V3R4_20251023-143809.ckl	MONT-DP-001	Microsoft IIS 10.0 Server Security Technical Implementation Guide	V3R6 Outdated: Latest V3R7	Edit
MONT-DP-001_IIS10Server_V3R4_20251023-143809.ckl	MONT-DP-001	Microsoft IIS 10.0 Server Security Technical Implementation Guide	V3R4 Outdated: Latest V3R7	Edit
MONT-MB-002_IIS10Site_Exchange_Back_End_V2R12_20251023-152602.ckl	MONT-MB-002	Microsoft IIS 10.0 Site Security Technical Implementation Guide	V2R12 Outdated: Latest V2R15	Edit
MONT-MB-002_IIS10Site_Exchange_Back_End_V2R12_20251023-152602.ckl	MONT-MB-002	Microsoft IIS 10.0 Site Security Technical Implementation Guide	V2R15	Edit
MONT-MB-002_IIS10Site_Default_Web_Site_V2R12_20251023-152518.ckl	MONT-MB-002	Microsoft IIS 10.0 Site Security Technical Implementation Guide	V2R12 Outdated: Latest V2R15	Edit
MONT-MB-002_IIS10Site_Default_Web_Site_V2R12_20251023-152518.ckl	MONT-MB-002	Microsoft IIS 10.0 Site Security Technical Implementation Guide	V2R15	Edit
MONT-MB-002_IIS10Server_V3R4_20251023-152431.ckl	MONT-MB-002	Microsoft IIS 10.0 Server Security Technical Implementation Guide	V3R7	Edit
MONT-MB-002_IIS10Server_V3R4_20251023-152431.ckl	MONT-MB-002	Microsoft IIS 10.0 Server Security Technical Implementation Guide	V3R6 Outdated: Latest V3R7	Edit
MONT-MB-002_IIS10Server_V3R4_20251023-152431.ckl	MONT-MB-002	Microsoft IIS 10.0 Server Security Technical Implementation Guide	V3R4 Outdated: Latest V3R7	Edit

Open Findings (69)

Findings that remain open and contribute to the score

MONT-DP-001

Microsoft IIS 10.0 Site Security Technical Implementation Guide MONT-DP-001_IIS10Site_Default_Web_Site_V2R12_20251023-143912.ckl

Edit 19 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-218768	The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and requ...	Open (Open)
CAT II	V-218737	A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connection...	Open (Open)
CAT II	V-218738	A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections...	Open (Open)
CAT II	V-218739	Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website ...	Open (Open)
CAT II	V-218741	The IIS 10.0 website must produce log records that contain sufficient informatio...	Open (Open)
CAT II	V-218742	The IIS 10.0 website must produce log records containing sufficient information ...	Open (Open)
CAT II	V-218743	The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that...	Open (Open)
CAT II	V-218744	Mappings to unused and vulnerable scripts on the IIS 10.0 website must be remove...	Open (Open)
CAT II	V-218745	The IIS 10.0 website must have resource mappings set to disable the serving of c...	Open (Open)
CAT II	V-218748	Each IIS 10.0 website must be assigned a default host header.	Open (Open)
CAT II	V-218749	A private IIS 10.0 website authentication mechanism must use client certificates...	Open (Open)
CAT II	V-218752	The IIS 10.0 website document directory must be in a separate partition from the...	Open (Open)
CAT II	V-218756	Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.	Open (Open)
CAT II	V-218758	Unlisted file extensions in URL requests must be filtered by any IIS 10.0 websit...	Open (Open)
CAT II	V-218763	The IIS 10.0 websites connectionTimeout setting must be explicitly configured to...	Open (Open)
CAT II	V-218767	The IIS 10.0 website must only accept client certificates issued by DOD PKI or D...	Open (Open)
CAT II	V-218770	Cookies exchanged between the IIS 10.0 website and the client must have cookie p...	Open (Open)
CAT II	V-218772	The maximum number of requests an application pool can process for each IIS 10.0...	Open (Open)
CAT II	V-218782	The required DoD banner page must be displayed to authenticated users accessing ...	Open (Open)

MONT-DP-001

Microsoft IIS 10.0 Server Security Technical Implementation Guide MONT-DP-001_IIS10Server_V3R4_20251023-143809.ckl

Edit 12 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-218802	IIS 10.0 Web server accounts accessing the directory tree, the shell, or other o...	Open (Open)
CAT I	V-218823	All accounts installed with the IIS 10.0 web server software and tools must have...	Open (Open)
CAT II	V-218786	Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web serve...	Open (Open)
CAT II	V-218788	The IIS 10.0 web server must produce log records that contain sufficient informa...	Open (Open)
CAT II	V-218789	The IIS 10.0 web server must produce log records containing sufficient informati...	Open (Open)
CAT II	V-218793	The IIS 10.0 web server must only contain functions necessary for operation.	Open (Open)
CAT II	V-218797	The IIS 10.0 web server must be reviewed on a regular basis to remove any Operat...	Open (Open)
CAT II	V-218798	The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) t...	Open (Open)
CAT II	V-218806	The IIS 10.0 web server must augment re-creation to a stable and known baseline.	Open (Open)
CAT II	V-218817	The IIS 10.0 web server must not be running on a system providing any other role...	Open (Open)
CAT II	V-218819	The IIS 10.0 web server must be tuned to handle the operational requirements of ...	Open (Open)
CAT II	V-268325	The Request Smuggling filter must be enabled.	Open (Open)

MONT-MB-002

Microsoft IIS 10.0 Site Security Technical Implementation Guide MONT-MB-002_IIS10Site_Default_Web_Site_V2R12_20251023-152518.ckl

Edit 10 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-218768	The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and requ...	Open (Open)
CAT II	V-218739	Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website ...	Open (Open)
CAT II	V-218741	The IIS 10.0 website must produce log records that contain sufficient informatio...	Open (Open)
CAT II	V-218742	The IIS 10.0 website must produce log records containing sufficient information ...	Open (Open)
CAT II	V-218743	The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that...	Open (Open)
CAT II	V-218744	Mappings to unused and vulnerable scripts on the IIS 10.0 website must be remove...	Open (Open)
CAT II	V-218749	A private IIS 10.0 website authentication mechanism must use client certificates...	Open (Open)
CAT II	V-218763	The IIS 10.0 websites connectionTimeout setting must be explicitly configured to...	Open (Open)
CAT II	V-218770	Cookies exchanged between the IIS 10.0 website and the client must have cookie p...	Open (Open)
CAT II	V-218782	The required DoD banner page must be displayed to authenticated users accessing ...	Open (Open)

MONT-MB-002

Microsoft IIS 10.0 Site Security Technical Implementation Guide MONT-MB-002_IIS10Site_Exchange_Back_End_V2R12_20251023-152602.ckl

Edit 10 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-218768	The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and requ...	Open (Open)
CAT II	V-218739	Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website ...	Open (Open)
CAT II	V-218741	The IIS 10.0 website must produce log records that contain sufficient informatio...	Open (Open)
CAT II	V-218742	The IIS 10.0 website must produce log records containing sufficient information ...	Open (Open)
CAT II	V-218743	The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that...	Open (Open)
CAT II	V-218744	Mappings to unused and vulnerable scripts on the IIS 10.0 website must be remove...	Open (Open)
CAT II	V-218749	A private IIS 10.0 website authentication mechanism must use client certificates...	Open (Open)
CAT II	V-218763	The IIS 10.0 websites connectionTimeout setting must be explicitly configured to...	Open (Open)
CAT II	V-218770	Cookies exchanged between the IIS 10.0 website and the client must have cookie p...	Open (Open)
CAT II	V-218782	The required DoD banner page must be displayed to authenticated users accessing ...	Open (Open)

MONT-DP-001 Outdated: V3R7

Microsoft IIS 10.0 Server Security Technical Implementation Guide MONT-DP-001_IIS10Server_V3R4_20251023-143809.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-218790	The log information from the IIS 10.0 web server must be protected from unauthor...	Open (Open)

MONT-MB-002

Microsoft IIS 10.0 Server Security Technical Implementation Guide MONT-MB-002_IIS10Server_V3R4_20251023-152431.ckl

Edit 14 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-218786	Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web serve...	Open (Open)
CAT II	V-218788	The IIS 10.0 web server must produce log records that contain sufficient informa...	Open (Open)
CAT II	V-218789	The IIS 10.0 web server must produce log records containing sufficient informati...	Open (Open)
CAT II	V-218793	The IIS 10.0 web server must only contain functions necessary for operation.	Open (Open)
CAT II	V-218797	The IIS 10.0 web server must be reviewed on a regular basis to remove any Operat...	Open (Open)
CAT II	V-218798	The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) t...	Open (Open)
CAT II	V-218805	The IIS 10.0 web server must accept only system-generated session identifiers.	Open (Open)
CAT II	V-218806	The IIS 10.0 web server must augment re-creation to a stable and known baseline.	Open (Open)
CAT II	V-218812	The IIS 10.0 web server must restrict inbound connections from non-secure zones.	Open (Open)
CAT II	V-218817	The IIS 10.0 web server must not be running on a system providing any other role...	Open (Open)
CAT II	V-218819	The IIS 10.0 web server must be tuned to handle the operational requirements of ...	Open (Open)
CAT II	V-228572	An IIS Server configured to be a SMTP relay must require authentication.	Open (Open)
CAT II	V-268325	The Request Smuggling filter must be enabled.	Open (Open)
CAT III	V-241789	ASP.NET version must be removed from the HTTP Response Header information.	Open (Open)

MONT-MB-002 Outdated: V3R7

Microsoft IIS 10.0 Server Security Technical Implementation Guide MONT-MB-002_IIS10Server_V3R4_20251023-152431.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-218790	The log information from the IIS 10.0 web server must be protected from unauthor...	Open (Open)

MONT-DP-001 Outdated: V3R7

Microsoft IIS 10.0 Server Security Technical Implementation Guide MONT-DP-001_IIS10Server_V3R4_20251023-143809.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT III	V-241788	HTTPAPI Server version must be removed from the HTTP Response Header information...	Open (Open)

MONT-MB-002 Outdated: V3R7

Microsoft IIS 10.0 Server Security Technical Implementation Guide MONT-MB-002_IIS10Server_V3R4_20251023-152431.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT III	V-241788	HTTPAPI Server version must be removed from the HTTP Response Header information...	Open (Open)

215

Total Findings

Open

146

Closed/Remediated