Vulnerability V-218770

Note: If the server being reviewed is a public IIS 10.0 web server, this is not applicable. Note: If the server being reviewed is hosting SharePoint, this is not applicable. Note: If the server being reviewed is hosting WSUS, this is not applicable. Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. Note: If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 Manager. Under the "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.web/httpCookies". Verify the "require SSL" is set to "True". From the "Section:" drop-down list, select "system.web/sessionState". Verify the "compressionEnabled" is set to "False". If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding.

Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 Manager. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.web/httpCookies". Set the "require SSL" to "True". From the "Section:" drop-down list, select "system.web/sessionState". Set the "compressionEnabled" to "False". Select "Apply" from the "Actions" pane.