Settings Overview
Table Of Content
Click the link(s) below for quick access to a report section.
System Report-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1.5 | Ensure 'unique application pools' is set for sites | All Good | True |
| 2.7 | Ensure 'passwordFormat' is not set to clear | All Good | True |
| 2.8 | Ensure 'credentials' are not stored in configuration files | All Good | True |
| 3.1 | Ensure 'deployment method retail' is set | retail is not enabled in machine.config | False |
| 3.5 | Ensure ASP.NET stack tracing is not enabled | All Good | True |
| 4.9 | Ensure 'notListedIsapisAllowed' is set to false | All Good | True |
| 4.10 | Ensure 'notListedCgisAllowed' is set to false | All Good | True |
| 5.2 | Ensure Advanced IIS logging is enabled | Advanced Logging is not available for IIS 10. See enhanced logging instead. | None |
| 6.1 | Ensure FTP requests are encrypted | Skipped this benchmark - right now Web-Ftp-Server is not installed | None |
| 6.2 | Ensure FTP Logon attempt restrictions is enabled | Skipped this benchmark - right now Web-Ftp-Server is not installed | None |
| 7.2 | Ensure SSLv2 is disabled | All Good | True |
| 7.3 | Ensure SSLv3 is disabled | All Good | True |
| 7.4 | Ensure TLS 1.0 is disabled | TLS 1.0 is enabled | False |
| 7.5 | Ensure TLS 1.1 is disabled | TLS 1.1 is enabled | False |
| 7.6 | Ensure TLS 1.2 is enabled | All Good | True |
| 7.7 | Ensure NULL Cipher Suites is disabled | All Good | True |
| 7.8 | Ensure DES Cipher Suites is disabled | All Good | True |
| 7.9.1 | Ensure RC4 Cipher Suites is disabled | All Good | True |
| 7.9.2 | Ensure RC4 Cipher Suites is disabled | All Good | True |
| 7.9.3 | Ensure RC4 Cipher Suites is disabled | All Good | True |
| 7.9.4 | Ensure RC4 Cipher Suites is disabled | All Good | True |
| 7.10 | Ensure AES 128/128 Cipher Suite is disabled | AES 128/128 Cipher Suite is still enabled | False |
| 7.11 | Ensure AES 256/256 Cipher Suite is enabled | All Good | True |
| 7.12.1 | Ensure TLS Cipher Suite ordering is correctly configured | TLS Cipher Suite ordering does not match reference | False |
| 7.12.2 | Ensure TLS Cipher Suite does not contain more ciphers | TLS Cipher Suite contains more ciphers | False |
ApplicationHost-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1.3 | Ensure 'directory browsing' is set to disabled | All Good | True |
| 1.6 | Ensure 'application pool identity' is configured for anonymous user identity | Username is set to: IUSR | False |
| 2.1 | Ensure 'global authorization rule' is set to restrict access | URL Authorization is not installed | Warning |
| 2.2 | Ensure access to sensitive site features is restricted to authenticated principals only | All Good | True |
| 2.3 | Ensure 'forms authentication' require SSL | Forms authentication is not installed | Warning |
| 2.4 | Ensure 'forms authentication' is set to use cookies | Forms authentication is not installed | Warning |
| 2.5 | Ensure 'cookie protection mode' is configured for forms authentication | Forms authentication is not installed | Warning |
| 2.7 | Ensure 'passwordFormat' is not set to clear | All Good | True |
| 2.8 | Ensure 'credentials' are not stored in configuration files | All Good | True |
| 3.2 | Ensure 'debug' is turned off | All Good | True |
| 3.3 | Ensure custom error messages are not off | All Good | True |
| 3.4 | Ensure IIS HTTP detailed errors are hidden from displaying remotely | All Good | True |
| 3.5 | Ensure ASP.NET stack tracing is not enabled | All Good | True |
| 3.6 | Ensure 'httpcookie' mode is configured for session state | All Good | True |
| 4.1 | Ensure 'maxAllowedContentLength' is configured | All Good maxContentLength: 30000000 | True |
| 4.2 | Ensure 'maxURL request filter' is configured | All Good maxURLRequestFilter: 4096 | True |
| 4.3 | Ensure 'MaxQueryString request filter' is configured | All Good maxQueryStringRequestFilter: 2048 | True |
| 4.4 | Ensure non-ASCII characters in URLs are not allowed | non-ASCII characters in URLs are allowed | False |
| 4.5 | Ensure Double-Encoded requests will be rejected | All Good | True |
| 4.6 | Ensure 'HTTP Trace Method' is disabled | HTTP Trace Method is not filtered | False |
| 4.7 | Ensure Unlisted File Extensions are not allowed | Unlisted file extensions allowed | False |
| 4.8 | Ensure Handler is not granted Write and Script/Execute | All Good | True |
| 7.1 | Ensure HSTS Header is set | HSTS Header not set | False |
Full site report for: Default Web Site-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1.1 | Ensure web content is on non-system partition | Web content is on system partition | False |
| 1.2 | Ensure 'host headers' is set | The following bindings do no specify a host: *:80: | False |
| 1.4 | Ensure 'application pool identity' is configured | All Good | True |
| 2.6 | Ensure transport layer security for 'basic authentication' is configured | All Good | True |
| 3.8 | Ensure 'MachineKey validation method - .Net 3.5' is configured | All Good | True |
| 3.9 | Ensure 'MachineKey validation method - .Net 4.5' is configured | Validation set to SHA1 | False |
| 3.10 | Ensure global .NET trust level is configured | This only applies to .Net 2.0. Future versions have stopped supporting this feature. | None |
| 4.11 | Ensure 'Dynamic IP Address Restrictions' is enabled | "IP and Domain Restrictions" must be installed to enabled "Dynamic IP Address Restrictions" | False |
| 5.1 | Ensure Default IIS web log location is moved | Logfile location is on system drive: C:\inetpub\logs\LogFiles | False |
| 5.3 | Ensure 'ETW Logging' is enabled | ETW Logging disabled | False |
Report for: /-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1.3 | Ensure 'directory browsing' is set to disabled | All Good | True |
| 1.6 | Ensure 'application pool identity' is configured for anonymous user identity | Username is set to: IUSR | False |
| 2.1 | Ensure 'global authorization rule' is set to restrict access | URL Authorization is not installed | Warning |
| 2.2 | Ensure access to sensitive site features is restricted to authenticated principals only | All Good | True |
| 2.3 | Ensure 'forms authentication' require SSL | Forms authentication is not installed | Warning |
| 2.4 | Ensure 'forms authentication' is set to use cookies | Forms authentication is not installed | Warning |
| 2.5 | Ensure 'cookie protection mode' is configured for forms authentication | Forms authentication is not installed | Warning |
| 2.7 | Ensure 'passwordFormat' is not set to clear | All Good | True |
| 2.8 | Ensure 'credentials' are not stored in configuration files | All Good | True |
| 3.2 | Ensure 'debug' is turned off | All Good | True |
| 3.3 | Ensure custom error messages are not off | All Good | True |
| 3.4 | Ensure IIS HTTP detailed errors are hidden from displaying remotely | All Good | True |
| 3.5 | Ensure ASP.NET stack tracing is not enabled | All Good | True |
| 3.6 | Ensure 'httpcookie' mode is configured for session state | All Good | True |
| 3.7 | Ensure 'cookies' are set with HttpOnly attribute | httpOnlyCookies set to False | False |
| 4.1 | Ensure 'maxAllowedContentLength' is configured | All Good maxContentLength: 30000000 | True |
| 4.2 | Ensure 'maxURL request filter' is configured | All Good maxURLRequestFilter: 4096 | True |
| 4.3 | Ensure 'MaxQueryString request filter' is configured | All Good maxQueryStringRequestFilter: 2048 | True |
| 4.4 | Ensure non-ASCII characters in URLs are not allowed | non-ASCII characters in URLs are allowed | False |
| 4.5 | Ensure Double-Encoded requests will be rejected | All Good | True |
| 4.6 | Ensure 'HTTP Trace Method' is disabled | HTTP Trace Method is not filtered | False |
| 4.7 | Ensure Unlisted File Extensions are not allowed | Unlisted file extensions allowed | False |
| 4.8 | Ensure Handler is not granted Write and Script/Execute | All Good | True |
| 7.1 | Ensure HSTS Header is set | HSTS Header not set | False |
Benchmark Compliance
Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.
Based on:
- CIS Microsoft IIS 10 Benchmark, Version: 1.1.0, Date: 12-11-2018
This report was generated on 09/05/2022 05:28:18 on WIN-T74AI7HCI62 with ATAPHtmlReport version 1.8.
System information
| Hostname | WIN-T74AI7HCI62 |
|---|---|
| Domain role | Standalone Server |
| Operating System | Microsoft Windows Server 2022 Standard Evaluation |
| Build Number | 20348 |
| Installation Language | English (United States) |
| Free disk space (GB) | 7.9 |
| Free physical memory (GB) | 13.5% (0.5 GB / 3.8 GB) |
Current Risk Score on tested System:
N/A
Risk Score calculation implemented for Microsoft Windows OS for now.
Severity
Quantity
Critical
High
Medium
Low
Critical
High
Medium
Low
A total of 82 tests have been executed.
- True 47 test(s) ≙ 57.32%
- False 23 test(s) ≙ 28.05%
- Warning 8 test(s) ≙ 9.76%
- None 4 test(s) ≙ 4.88%
- Error 0 test(s) ≙ 0.00%
System Report
A total of 25 tests have been executed in section System Report.
- True 16 test(s) ≙ 64.00%
- False 6 test(s) ≙ 24.00%
- Warning 0 test(s) ≙ 0.00%
- None 3 test(s) ≙ 12.00%
- Error 0 test(s) ≙ 0.00%
ApplicationHost
A total of 23 tests have been executed in section ApplicationHost.
- True 14 test(s) ≙ 60.87%
- False 5 test(s) ≙ 21.74%
- Warning 4 test(s) ≙ 17.39%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Full site report for: Default Web Site
A total of 34 tests have been executed in section Full site report for: Default Web Site.
- True 17 test(s) ≙ 50.00%
- False 12 test(s) ≙ 35.29%
- Warning 4 test(s) ≙ 11.76%
- None 1 test(s) ≙ 2.94%
- Error 0 test(s) ≙ 0.00%
Risk Score
To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.
Current Risk Score on tested System:
Severity
Quantity
Critical
High
Medium
Low
Critical
High
Medium
Low
Risk Score Calculation
The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.
| Compliance to Benchmarks (Quantity) | Risk Assessment |
|---|---|
| More than 85% | Low |
| Between 70% and 85% | Medium |
| Between 55% and 70% | High |
| Less than 55% | Critical |
| Compliance to Benchmarks (Severity) | Risk Assessment |
|---|---|
| All critical settings compliant | Low |
| 1 or more incompliant setting(s) | Critical |
Severity Compliance
-| Id | Task | Status |
|---|---|---|
| 1.1.7 | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | True |
| 2.2.38 | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) | True |
| 2.3.5.2 | (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only) | None |
| 2.3.5.2 | (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only) | None |
| 2.3.11.4 | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | False |
| 2.3.11.5 | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | True |
| 7.9 A | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128) | False |
| 7.9 B | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128) | False |
| 7.9 C | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128) | False |
| 7.9 D | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128) | False |
| 9.1.7 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | False |
| 9.1.8 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | False |
| 18.3.3 | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' | False |
| 18.3.3 | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | False |
| 18.3.6 | (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | False |
| 18.6.2 | (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | False |
| 18.6.3 | (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | False |
| 18.9.47.9.2 | (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' | False |
| 18.9.47.5.1.2 A | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | False |
| 18.9.47.5.1.2 B | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | False |
| 18.9.47.5.1.2 C | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | False |
| 18.9.47.5.1.2 D | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | False |
| 18.9.47.5.1.2 E | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | False |
| 18.9.47.5.1.2 F | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | False |
| 18.9.47.5.1.2 G | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | False |
| 18.9.47.5.1.2 H | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | False |
| 18.9.47.5.1.2 I | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | False |
| 18.9.47.5.1.2 J | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | False |
| 18.9.47.5.1.2 K | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | False |
| 18.9.47.5.1.2 L | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | False |
| 18.9.48.11 | Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled' | False |
| 18.9.58.3.10.1 | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' | False |
| 18.9.58.3.10.2 | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | False |
About us
What makes FB Pro GmbH different
What do we want?
Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.
How we achieve this?
We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.
Check out our hardening solution
Check out our Audit Report Tool here
