| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-218805 | CAT II | SCHR-P3-DP-001 | Microsoft IIS 10.0 Server Security Techn... | The IIS 10.0 web server must accept only system-ge... | - | |||
Check TextNote: If ASP.NET is not installed, this is Not Applicable. Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. Under "Time-out (in minutes)", verify a maximum of 15 minutes is entered. If the "Use Cookies" mode is selected and Time-out (in minutes) is configured for "15 minutes" (or less), this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "cookieless" is set to "UseCookies". If the "cookieless" is not set to "UseCookies", this is a finding. Note: If IIS 10.0 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable. Fix TextOpen the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", select the "Use Cookies" mode from the "Mode:" drop-down list. Under "Time-out (in minutes)", enter a value of "15 or less". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7533F9E6958FD6D045546A3732F63AFD8472E223 ~~~~~ Cookie Settings Mode is configured to 'UseCookies' Time-out is configured to '00:15:00'
Source: SCHR-P3-DP-001_IIS10Server_V3R6_20260305-132942.cklb
Scan Date: 2026-03-12T15:38:14.420977
Technology Area: Web Review
|
||||||||