Res.WebBaselineRules.xml (DeployableResource)
Element properties:
Source Code:
<DeployableResource ID="Res.WebBaselineRules.xml" Accessibility="Public" FileName="WebBaselineRules.xml"/>
File Content: WebBaselineRules.xml
<?xml version="1.0" encoding="utf-8"?>
<ArrayOfBaselineRuleset xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<BaselineRuleset>
<Rules>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>c680afde-a08e-4886-9d62-9eece4632e8e</Id>
<CceId></CceId>
<AzId>Az-Web-001</AzId>
<Name>Set Deployment Method to Retail</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/deployment</Section>
<Attribute>retail</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>fb61064c-373e-4056-9ca0-1bd9e4ec54b4</Id>
<CceId></CceId>
<AzId>Az-Web-005</AzId>
<Name>Debug must be turned off on a production website</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/compilation</Section>
<Attribute>debug</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>7f1c3114-469a-423d-9f80-997dad44c37c</Id>
<CceId></CceId>
<AzId>Az-Web-006</AzId>
<Name>In customError element mode attribute is set to on</Name>
<Type>IIS</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>LessThan</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/customErrors</Section>
<Attribute>mode</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>b0785fcb-ad4c-47ba-8bdc-dacf6ccc1ba0</Id>
<CceId></CceId>
<AzId>Az-Web-008</AzId>
<Name>Set SSL attribute to true</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpCookies</Section>
<Attribute>requireSSL</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>3eb8e8d3-867e-4821-906e-95764dabdd8e</Id>
<CceId></CceId>
<AzId>Az-Web-009</AzId>
<Name>Set maxRequestLength to less than or equals to 4096</Name>
<Type>IIS</Type>
<ExpectedValue>4096</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>LessThan</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpRuntime</Section>
<Attribute>maxRequestLength</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>feb0f23f-c0a2-4d8a-b597-ca55f95547d2</Id>
<CceId></CceId>
<AzId>Az-Web-010</AzId>
<Name>Set enableHeaderChecking to true</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpRuntime</Section>
<Attribute>enableHeaderChecking</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>52d01288-2847-444d-a949-d189c96f8b9c</Id>
<CceId></CceId>
<AzId>Az-Web-011</AzId>
<Name>Set enableVersionHeader to false</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpRuntime</Section>
<Attribute>enableVersionHeader</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>a3d06589-ce26-4792-9732-3c348e8e136b</Id>
<CceId></CceId>
<AzId>Az-Web-012</AzId>
<Name>Set sendCacheControlHeader to true</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/httpRuntime</Section>
<Attribute>sendCacheControlHeader</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>9cbec973-2f00-4699-9892-1cfad50c8b11</Id>
<CceId></CceId>
<AzId>Az-Web-013</AzId>
<Name>Set machinekey decryption algorithm to AES</Name>
<Type>IIS</Type>
<ExpectedValue>AES</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/machineKey</Section>
<Attribute>decryption</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>b056b41f-37e2-4537-b61d-77bbb817b83b</Id>
<CceId></CceId>
<AzId>Az-Web-014</AzId>
<Name>Set MachineKey Validation and Encryption per SDL</Name>
<Type>IIS</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/machineKey</Section>
<Attribute>validation</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>748fd467-443f-4c55-bbb1-c8ada0cc4eb4</Id>
<CceId></CceId>
<AzId>Az-Web-015</AzId>
<Name>Set machine validation Key to AutoGenerate,IsolateApps</Name>
<Type>IIS</Type>
<ExpectedValue>AutoGenerate,IsolateApps</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/machineKey</Section>
<Attribute>validationKey</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>3041473b-4776-4ba8-8069-f2d1a4f27bf8</Id>
<CceId></CceId>
<AzId>Az-Web-016</AzId>
<Name>Set enableViewState to true</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/pages</Section>
<Attribute>enableViewState</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>d81e28bc-fe9b-4566-b1af-cc1a9763bc3a</Id>
<CceId></CceId>
<AzId>Az-Web-017</AzId>
<Name>Turn on web page validation request</Name>
<Type>IIS</Type>
<ExpectedValue>True</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/pages</Section>
<Attribute>validateRequest</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>121a2e7b-c2d8-4e2e-84ed-ed0901f8d066</Id>
<CceId></CceId>
<AzId>Az-Web-018</AzId>
<Name>Set cookieless to UseCookies</Name>
<Type>IIS</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/sessionState</Section>
<Attribute>cookieless</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>62249302-e7ba-4833-9899-bbc72f2e0081</Id>
<CceId></CceId>
<AzId>Az-Web-019</AzId>
<Name>Set regenerateExpiredSessionId to false</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/sessionState</Section>
<Attribute>regenerateExpiredSessionId</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>d7fb2d9f-f019-49c2-a7e3-03c5ff51df1b</Id>
<CceId></CceId>
<AzId>Az-Web-020</AzId>
<Name>Set enabled attribute to false</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/trace</Section>
<Attribute>enabled</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>89da244c-ed44-41d8-b8d9-98f82004b580</Id>
<CceId></CceId>
<AzId>Az-Web-021</AzId>
<Name>Configure Global .NET Trust Level equals Medium</Name>
<Type>IIS</Type>
<ExpectedValue>Medium|Low|Minimal</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Contains</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.web</SectionGroup>
<Section>system.web/trust</Section>
<Attribute>level</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>03d4806d-4003-42de-8de2-e45325b3a769</Id>
<CceId></CceId>
<AzId>Az-Web-026</AzId>
<Name>Set Directory Browsing to disabled</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/directoryBrowse</Section>
<Attribute>enabled</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>e73e6cb2-5e3f-49b6-bb12-7ad580cf8392</Id>
<CceId></CceId>
<AzId>Az-Web-027</AzId>
<Name>Hide IIS HTTP Detailed Errors from Displaying Remotely</Name>
<Type>IIS</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>LessThan</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/httpErrors</Section>
<Attribute>errorMode</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>74736590-bcdd-4836-b0d5-c81837a002d0</Id>
<CceId></CceId>
<AzId>Az-Web-028</AzId>
<Name>Set Application Pool Identity userName to NONE</Name>
<Type>IIS</Type>
<ExpectedValue> </ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/security/authentication/anonymousAuthentication</Section>
<Attribute>userName</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>61e46ddc-6620-4b5f-91e9-c2525b3d89ad</Id>
<CceId></CceId>
<AzId>Az-Web-029</AzId>
<Name>Set notListedIsapisAllowed to false</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/security/isapiCgiRestriction</Section>
<Attribute>notListedIsapisAllowed</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>d2f58ffa-f7db-405f-b154-5e28752b6c3e</Id>
<CceId></CceId>
<AzId>Az-Web-031</AzId>
<Name>Ensure Double-Encoded Requests will be rejected</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/security/requestFiltering</Section>
<Attribute>allowDoubleEscaping</Attribute>
</WebBaselineRule>
<WebBaselineRule>
<BaselineId>D910D7F5-424C-9D4B-1948-2C79994B4A9A</BaselineId>
<Id>b06d4c8a-0ea5-462c-9ce3-399458cbb849</Id>
<CceId></CceId>
<AzId>Az-Web-033</AzId>
<Name>Turn off Dynamic URL Compression</Name>
<Type>IIS</Type>
<ExpectedValue>False</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionGroup>system.webServer</SectionGroup>
<Section>system.webServer/urlCompression</Section>
<Attribute>doDynamicCompression</Attribute>
</WebBaselineRule>
</Rules>
<Id>D910D7F5-424C-9D4B-1948-2C79994B4A9A</Id>
<Name>Web Baseline IIS 7 or higher</Name>
<Type>Web</Type>
</BaselineRuleset>
</ArrayOfBaselineRuleset>
Home