CUI

USNS MONTFORD POINT - Findings

Back to Ship Export CSV Download POA&M

Showing 3 of 3 findings (filtered) View Documentation Status (90 tracked)

Vuln ID	Severity	Asset	STIG	Title	Status	Doc Status	Assigned To	Actions
V-218742	CAT II	MONT-MB-002	Microsoft IIS 10.0 Site Security Technic...	The IIS 10.0 website must produce log records cont...		-
Check Text Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", verify "User Agent", "User Name", and "Referrer" are selected. Under "Custom Fields", verify the following fields have been configured: Request Header >> Authorization Response Header >> Content-Type If any of the above fields are not selected, this is a finding. Fix Text Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Configure the "Format:" under "Log File" to "W3C". Select "Fields". Under "Standard Fields", select "User Agent", "User Name", and "Referrer". Under "Custom Fields", select the following fields: Request Header >> Authorization Response Header >> Content-Type Click "OK". Select "Apply" from the "Actions" pane. Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_IIS10Site_Default_Web_Site_V2R12_20251023-152518.ckl Scan Date: 2026-01-14T12:57:33.098574 Technology Area: Web Review
V-218742	CAT II	MONT-MB-002	Microsoft IIS 10.0 Site Security Technic...	The IIS 10.0 website must produce log records cont...		-
Check Text Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", verify "User Agent", "User Name", and "Referrer" are selected. Under "Custom Fields", verify the following fields have been configured: Request Header >> Authorization Response Header >> Content-Type If any of the above fields are not selected, this is a finding. Fix Text Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Configure the "Format:" under "Log File" to "W3C". Select "Fields". Under "Standard Fields", select "User Agent", "User Name", and "Referrer". Under "Custom Fields", select the following fields: Request Header >> Authorization Response Header >> Content-Type Click "OK". Select "Apply" from the "Actions" pane. Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_IIS10Site_Exchange_Back_End_V2R12_20251023-152602.ckl Scan Date: 2026-01-14T12:57:33.300070 Technology Area: Web Review
V-218742	CAT II	MONT-DP-001	Microsoft IIS 10.0 Site Security Technic...	The IIS 10.0 website must produce log records cont...		-
Check Text Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", verify "User Agent", "User Name", and "Referrer" are selected. Under "Custom Fields", verify the following fields have been configured: Request Header >> Authorization Response Header >> Content-Type If any of the above fields are not selected, this is a finding. Fix Text Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Configure the "Format:" under "Log File" to "W3C". Select "Fields". Under "Standard Fields", select "User Agent", "User Name", and "Referrer". Under "Custom Fields", select the following fields: Request Header >> Authorization Response Header >> Content-Type Click "OK". Select "Apply" from the "Actions" pane. Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Comments If the server is hosting WSUS, this is Not Applicable. Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_IIS10Site_Default_Web_Site_V2R12_20251023-143912.ckl Scan Date: 2026-01-14T12:57:35.375369 Technology Area: Web Review

CUI