| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-218827 | CAT III | MONT-MB-002 | Microsoft IIS 10.0 Server Security Techn... | The IIS 10.0 web server must enable HTTP Strict Tr... | - | |||
Check TextNote: If the server is hosting WSUS, this is not applicable. Note: If the server is providing OCSP or CRL, and not otherwise hosting any content, this is not applicable. Access the IIS 10.0 Web Server. Open IIS Manager. Click the IIS 10.0 web server name. Open on Configuration Editor under Management. For the Section, navigate to system.applicationHost/sites. Expand siteDefaults and HSTS. If enabled is not set to True, this is a finding. If includeSubDomains is not set to True, this is a finding. If max-age is not set to a value greater than 0, this is a finding. If redirectHttpToHttps is not True, this is a finding. If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is not applicable. If the version of Windows Server does not natively support HSTS, this is not a finding. Fix TextUsing the Configuration Editor in the IIS Manager or Powershell: Enable HSTS. Set includeSubDomains to True. Set max-age to a value greater than 0. Set redirectHttpToHttps to True. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99B8BE8C00D415AE2AD924DD32E7462E3F3742DF ~~~~~ Windows Server 2016 version is 1607 which does not natively support HTST so this requirement is Not A Finding.
Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_IIS10Server_V3R4_20251023-152431.ckl
Scan Date: 2026-01-14T12:57:32.874734
Technology Area: Web Review
|
||||||||
| V-218827 | CAT III | MONT-DP-001 | Microsoft IIS 10.0 Server Security Techn... | The IIS 10.0 web server must enable HTTP Strict Tr... | - | |||
Check TextNote: If the server is hosting WSUS, this is not applicable. Note: If the server is providing OCSP or CRL, and not otherwise hosting any content, this is not applicable. Access the IIS 10.0 Web Server. Open IIS Manager. Click the IIS 10.0 web server name. Open on Configuration Editor under Management. For the Section, navigate to system.applicationHost/sites. Expand siteDefaults and HSTS. If enabled is not set to True, this is a finding. If includeSubDomains is not set to True, this is a finding. If max-age is not set to a value greater than 0, this is a finding. If redirectHttpToHttps is not True, this is a finding. If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is not applicable. If the version of Windows Server does not natively support HSTS, this is not a finding. Fix TextUsing the Configuration Editor in the IIS Manager or Powershell: Enable HSTS. Set includeSubDomains to True. Set max-age to a value greater than 0. Set redirectHttpToHttps to True. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99B8BE8C00D415AE2AD924DD32E7462E3F3742DF ~~~~~ Windows Server 2016 version is 1607 which does not natively support HTST so this requirement is Not A Finding.
Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_IIS10Server_V3R4_20251023-143809.ckl
Scan Date: 2026-01-14T12:57:35.201603
Technology Area: Web Review
|
||||||||