| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-218789 | CAT II | SCHR-P3-DP-001 | Microsoft IIS 10.0 Server Security Techn... | The IIS 10.0 web server must produce log records c... | - | |||
Check TextNote: If the server is hosting WSUS, this is Not Applicable. Access the IIS 10.0 web server IIS Manager. Click the IIS 10.0 web server name. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", verify "User Agent", "User Name", and "Referrer" are selected. Under "Custom Fields", verify the following field has been configured: Request Header >> Authorization. Response Header >> Content-Type. If any of the above fields are not selected, this is a finding. Fix TextAccess the IIS 10.0 web server IIS Manager. Click the IIS 10.0 web server name. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", select "User Agent", "User Name", and "Referrer". Under "Custom Fields", select the following fields: Click the "Source Type" drop-down list, and select "Request Header". Click on "Source" drop-down, list and select "Authorization". Click "OK" to add. Click the "Source" drop-down list, and select "Content-Type". Click the "Source Type" drop-down list, and select "Response Header". Click "OK" to add. Click "OK". Click "Apply" under the "Actions" pane. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 03/05/2026 ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. CommentsLog format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is configured. The 'Response Header >> Content-Type' custom field is configured. This is Not a Finding
Source: SCHR-P3-DP-001_IIS10Server_V3R6_20260305-132942.cklb
Scan Date: 2026-03-12T15:38:14.420977
Technology Area: Web Review
|
||||||||