STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft IIS 10.0 Server Security Technical Implementation Guide

V-218793

CAT II (Medium)

The IIS 10.0 web server must only contain functions necessary for operation.

Rule ID

SV-218793r960963_rule

STIG

Microsoft IIS 10.0 Server Security Technical Implementation Guide

Version

V3R7

CCIs

CCI-000381

Discussion

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services deemed non-essential to the web server mission or that adversely impact server performance.

Check Content

Click “Start”.

Open Control Panel.

Click “Programs”.

Click “Programs and Features”.

Review the installed programs. If any programs are installed other than those required for the IIS 10.0 web services, this is a finding.

Note: If additional software is needed, supporting documentation must be signed by the ISSO.

Fix Text

Remove all unapproved programs and roles from the production IIS 10.0 web server.