Res.WebBaselineRules.xml (DeployableResource)
Element properties:
Source Code:
<DeployableResource ID="Res.WebBaselineRules.xml" Accessibility="Public" FileName="WebBaselineRules.xml"/>
File Content: WebBaselineRules.xml
<?xml version="1.0" encoding="utf-8"?>
<ArrayOfBaselineRuleset xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<BaselineRuleset>
<Rules>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>27a5b1d8-a772-4a28-837f-a85f681bfb5a</Id>
<CceId></CceId>
<AzId>AZ_WEB_000001</AzId>
<Name>Set Deployment Method to Retail</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/deployment</Section>
<Attribute>retail</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>8d067df0-8f49-4b31-9467-c5e543afda00</Id>
<CceId></CceId>
<AzId>AZ_WEB_000005</AzId>
<Name>Debug must be turned off on a production website</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/compilation</Section>
<Attribute>debug</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>57a45f71-cb3a-436f-82c1-168a3f99ef68</Id>
<CceId></CceId>
<AzId>AZ_WEB_000006</AzId>
<Name>In customError element mode attribute is set to On (1)</Name>
<Type>IIS</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/customErrors</Section>
<Attribute>mode</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>f1e42fee-7d4f-48b0-b6ca-9ed96ba9c791</Id>
<CceId></CceId>
<AzId>AZ_WEB_000008</AzId>
<Name>In httpCookies element requireSSL attribute is set to True</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpCookies</Section>
<Attribute>requireSSL</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>a80cd32e-f3d3-47c3-9ad5-e678cf6c130a</Id>
<CceId></CceId>
<AzId>AZ_WEB_000009</AzId>
<Name>In httpRuntime element maxRequestLength attribute is less than or equals to 4096</Name>
<Type>IIS</Type>
<ExpectedValue>4096</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>LessThan</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpRuntime</Section>
<Attribute>maxRequestLength</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>3de94b33-4ebe-4aa1-ae41-4d7047a6086a</Id>
<CceId></CceId>
<AzId>AZ_WEB_000010</AzId>
<Name>In httpRuntime element enableHeaderChecking attribute is set to True</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpRuntime</Section>
<Attribute>enableHeaderChecking</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>ac466699-3268-43ab-afbf-0102de43f42c</Id>
<CceId></CceId>
<AzId>AZ_WEB_000011</AzId>
<Name>In httpRuntime element enableVersionHeader attribute is set to False</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpRuntime</Section>
<Attribute>enableVersionHeader</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>74129d60-def6-4f44-80c5-e3a2640841eb</Id>
<CceId></CceId>
<AzId>AZ_WEB_000012</AzId>
<Name>In httpRuntime element sendCacheControlHeader attribute is set to True</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpRuntime</Section>
<Attribute>sendCacheControlHeader</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>b16983ab-c5af-4203-9d46-be4f0674f809</Id>
<CceId></CceId>
<AzId>AZ_WEB_000013</AzId>
<Name>In machineKey element decryption attribute is set to AES</Name>
<Type>IIS</Type>
<ExpectedValue>AES</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/machineKey</Section>
<Attribute>decryption</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>6a95b642-ddbd-4cf1-bc30-99914c3037ea</Id>
<CceId></CceId>
<AzId>AZ_WEB_000014</AzId>
<Name>Configure MachineKey Validation and Encryption are set per SDL</Name>
<Type>IIS</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/machineKey</Section>
<Attribute>validation</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>d1f3f5d5-4126-4ec1-9c04-8c2633bcb86d</Id>
<CceId></CceId>
<AzId>AZ_WEB_000015</AzId>
<Name>In machineKey element validationKey attribute is set to AutoGenerate,IsolateApps</Name>
<Type>IIS</Type>
<ExpectedValue>AutoGenerate,IsolateApps</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/machineKey</Section>
<Attribute>validationKey</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>2605d41d-b621-49e2-810a-de6a5fef8731</Id>
<CceId></CceId>
<AzId>AZ_WEB_000016</AzId>
<Name>In pages element enableViewState attribute is set to True</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/pages</Section>
<Attribute>enableViewState</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>7c0e7f60-a92f-465a-85ac-a338e78909d8</Id>
<CceId></CceId>
<AzId>AZ_WEB_000017</AzId>
<Name>In pages element validateRequest attribute is set to True</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/pages</Section>
<Attribute>validateRequest</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>f3af50f4-84a0-46ad-a8fc-032e7eee491f</Id>
<CceId></CceId>
<AzId>AZ_WEB_000018</AzId>
<Name>In sessionState element cookieless attribute is set to UseCookies</Name>
<Type>IIS</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/sessionState</Section>
<Attribute>cookieless</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>65252c76-e9f9-4ea1-92bb-65329b30e41a</Id>
<CceId></CceId>
<AzId>AZ_WEB_000019</AzId>
<Name>In sessionState element regenerateExpiredSessionId is set to False</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/sessionState</Section>
<Attribute>regenerateExpiredSessionId</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>9f8764a4-9625-4f13-93ae-d3ea17ef4c5e</Id>
<CceId></CceId>
<AzId>AZ_WEB_000020</AzId>
<Name>In trace element enabled attribute is set to False</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/trace</Section>
<Attribute>enabled</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>793f981f-02d2-4dfa-a0dd-f362cacefdb8</Id>
<CceId></CceId>
<AzId>Az-Web-000021</AzId>
<Name>Configure Global .NET Trust Level to Medium</Name>
<Type>IIS</Type>
<ExpectedValue>Medium|Low|Minimal</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Contains</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/trust</Section>
<Attribute>level</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>13fd6ed6-3aac-4a69-9fdc-37186c7f54f8</Id>
<CceId></CceId>
<AzId>AZ_WEB_000026</AzId>
<Name>Directory Browsing must be disabled on the production web server</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/directoryBrowse</Section>
<Attribute>enabled</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>bd28b5f7-dd3f-4f7b-97b8-34bab1960658</Id>
<CceId></CceId>
<AzId>AZ_WEB_000027</AzId>
<Name>Hide IIS HTTP Detailed Errors from Displaying Remotely - Set errorMode attribute of httpErrors element to DetailedLocalOnly(0) or Custom (1)</Name>
<Type>IIS</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>LessThan</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/httpErrors</Section>
<Attribute>errorMode</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>5099b81e-264f-4bb1-8348-22e93edc90cd</Id>
<CceId></CceId>
<AzId>AZ_WEB_000028</AzId>
<Name>Configure Anonymous User Identity To Use Application Pool Identity - 'userName = NONE</Name>
<Type>IIS</Type>
<ExpectedValue>""</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/security/authentication/anonymousAuthentication</Section>
<Attribute>userName</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>f69ee77d-3c30-4bbc-95ba-070ec7d76607</Id>
<CceId></CceId>
<AzId>AZ_WEB_000029</AzId>
<Name>The configuration attribute 'notListedIsapisAllowed' should be False</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/security/isapiCgiRestriction</Section>
<Attribute>notListedIsapisAllowed</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>8c969105-3136-465b-85c9-3f8ecc657d0b</Id>
<CceId></CceId>
<AzId>AZ_WEB_000031</AzId>
<Name>Ensure Double-Encoded Requests will be rejected</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/security/requestFiltering</Section>
<Attribute>allowDoubleEscaping</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>8a0d2239-70ff-4771-ba66-dc63cdf54e2f</Id>
<CceId></CceId>
<AzId>AZ_WEB_000033</AzId>
<Name>In urlCompression element doDynamicCompression attribute is set to False</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/urlCompression</Section>
<Attribute>doDynamicCompression</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>a9e59a3f-70c1-4b0a-ac3b-fb26c4b036ab</Id>
<CceId></CceId>
<AzId>AZ_WEB_000049</AzId>
<Name>In pages element enableEventValidation attribute is set to True</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/pages</Section>
<Attribute>enableEventValidation</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>88d37251-c4ea-4aa6-87be-2d21d0bc1b44</Id>
<CceId></CceId>
<AzId>AZ_WEB_000050</AzId>
<Name>In pages element enableViewStateMac attribute is set to True</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/pages</Section>
<Attribute>enableViewStateMac</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>d57da25c-a058-4634-a134-708611414154</Id>
<CceId></CceId>
<AzId>AZ_WEB_000051</AzId>
<Name>In pages element viewstateEncryptionMode attribute is set to Always (0)</Name>
<Type>IIS</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/pages</Section>
<Attribute>viewstateEncryptionMode</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>d2b8c5ad-945f-45c4-ab9c-bb89d09bebb1</Id>
<CceId></CceId>
<AzId>AZ_WEB_000055</AzId>
<Name>Grant a handler execute/script or write permissions, but not both (should not be 513)</Name>
<Type>IIS</Type>
<ExpectedValue>513</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>NotEquals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/handlers</Section>
<Attribute>accessPolicy</Attribute>
</WebBaselineRule>
</Rules>
<Id>D910D7F5-424C-9D4B-1948-2C79994B4A9A</Id>
<Name>Web Baseline IIS 7 or higher</Name>
<Type>Web</Type>
</BaselineRuleset>
</ArrayOfBaselineRuleset>
Home