The IIS 10.0 web server must not be both a website server and a proxy server.

STIG ID: IIST-SV-000119  |  SRG: SRG-APP-000141-WSR-000076 | Severity: medium |  CCI: CCI-000381

Vulnerability Discussion

A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that also proxy requests into an otherwise protected network is a common attack, making the attack anonymous.

Check

Open the IIS 10.0 Manager.

Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server.

If, under the IIS installed features "Application Request Routing Cache" is not present, this is not a finding.

If, under the IIS installed features "Application Request Routing Cache" is present, double-click the icon to open the feature.

From the right "Actions" pane under "Proxy", select "Server Proxy Settings...".

In the "Application Request Routing" settings window, verify whether "Enable proxy" is selected.

If "Enable proxy" is selected under the "Application Request Routing" settings, this is a finding.

If the server has been approved to be a Proxy server, this requirement is Not Applicable.

Fix

Open the IIS 10.0 Manager.

Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server.

Under the IIS installed features, if "Application Request Routing Cache" is present, double-click the icon to open the feature.

From the right "Actions" pane, under "Proxy", select "Server Proxy Settings...".

In the "Application Request Routing" settings window, remove the check from the "Enable proxy" check box.

Click "Apply" in the "Actions" pane.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.