IIS Site V-278953 is a No-Op

[FrederickGeek8]

Describe the bug

The IIS Site rule V-278953, introduced in "Ver 2, Rel 13" of IIS Site in #1509, is a registry key rule that was previously in IIS Server 10.0-3.4 under the ID V-241788 and migrated to IIS Server in the Q4 2025 STIG release.

However, when introduced to PowerSTIG in #1509, no actionable rule was defined. Instead of copying over the registry key updating behavior from IIS Server 10.0-3.4, the new rule was left as dscresource="None".

As a result, the change required by V-278953 (IIS Site), formerly V-241788 (IIS Server), is no longer applied to systems.

Proposed Solution

The configuration from the older version of IIS Server can be migrated over, more or less as is¹. Below I have attached the three changes I made to my local copy of PowerSTIG to properly configure IIS Site V-278953.

NOTE: I do not know the workflow for converting XML files since the "Convert Wiki" linked in the README.md is missing. Please let me know how to properly use the Convert module and I will open a PR for XML/Rule updates. The modification I made below were manual and perhaps should be integrated in some other part of the pipeline -- I just don't know what that pipeline is yet.

Patches

IISSite-10.0-2.13.xml.patch (Making `V-278953` a registry rule)

diff --git b/./OfflineModules_clean/PowerSTIG/4.28.0/StigData/Processed/IISSite-10.0-2.13.xml a/./OfflineModules/PowerSTIG/4.28.0/StigData/Processed/IISSite-10.0-2.13.xml
index 89e673e..07701f9 100644
--- b/./OfflineModules_clean/PowerSTIG/4.28.0/StigData/Processed/IISSite-10.0-2.13.xml
+++ a/./OfflineModules/PowerSTIG/4.28.0/StigData/Processed/IISSite-10.0-2.13.xml
@@ -553,10 +553,14 @@ NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it do
 
 If the access-controlled website does not display this banner page before entry, this is a finding.</RawString>
     </Rule>
-    <Rule id="V-278953" severity="medium" conversionstatus="pass" title="SRG-APP-000266-WSR-000159" dscresource="None">
+  </ManualRule>
+  <RegistryRule dscresourcemodule="PSDscResources">
+    <Rule id="V-278953" severity="medium" conversionstatus="pass" title="SRG-APP-000266-WSR-000159" dscresource="Registry">
       <Description>&lt;VulnDiscussion&gt;HTTP Response Headers contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of certain HTTP Response Header information to remote requesters exposes internal configuration information to potential attackers.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
       <DuplicateOf />
+      <Ensure>Present</Ensure>
       <IsNullOrEmpty>False</IsNullOrEmpty>
+      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters</Key>
       <LegacyId>
       </LegacyId>
       <OrganizationValueRequired>False</OrganizationValueRequired>
@@ -572,8 +576,11 @@ Verify "DisableServerHeader” is set to "2".
 If REG_DWORD DisableServerHeader is not set to "2", this is a finding.
 
 If the system administrator can show that Server Version information has been removed via other means, such as using a rewrite outbound rule, this is not a finding.</RawString>
+    <ValueData>2</ValueData>
+    <ValueName>DisableServerHeader</ValueName>
+    <ValueType>Dword</ValueType>
     </Rule>
-  </ManualRule>
+  </RegistryRule>
   <MimeTypeRule dscresourcemodule="xWebAdministration">
     <Rule id="V-218743.a" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping">
       <Description>&lt;VulnDiscussion&gt;Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or could use the function in an unintentional manner.

IisSite.schema.psm1.patch (adding `windows.Registry.ps1` as a IisSite required module)

diff --git b/./OfflineModules_clean/PowerSTIG/4.28.0/DSCResources/IisSite/IisSite.schema.psm1 a/./OfflineModules/PowerSTIG/4.28.0/DSCResources/IisSite/IisSite.schema.psm1
index 1ce0ad7..803c15b 100644
--- b/./OfflineModules_clean/PowerSTIG/4.28.0/DSCResources/IisSite/IisSite.schema.psm1
+++ a/./OfflineModules/PowerSTIG/4.28.0/DSCResources/IisSite/IisSite.schema.psm1
@@ -88,6 +88,7 @@ configuration IisSite
     ##### END DO NOT MODIFY #####
 
     Import-DscResource -ModuleName PSDSCresources -ModuleVersion 2.12.0.0
+    . "$resourcePath\windows.Registry.ps1"
     . "$resourcePath\windows.Script.skip.ps1"
     . "$resourcePath\windows.WindowsFeature.ps1"

U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.log.patch (this is optional for workaround purposes)

diff --git b/./OfflineModules_clean/PowerSTIG/4.28.0/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.log a/./OfflineModules/PowerSTIG/4.28.0/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.log
index a62fb83..6e18bae 100644
--- b/./OfflineModules_clean/PowerSTIG/4.28.0/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.log	
+++ a/./OfflineModules/PowerSTIG/4.28.0/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.log	
@@ -3,4 +3,4 @@ V-218735::System Administrator::""
 V-218754::If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length documented and approved by the ISSO, this is a finding.::If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length approved by the ISSO, this is a finding.
 V-218763::*::HardCodedRule(WebConfigurationPropertyRule)@{DscResource = 'xWebConfigKeyValue'; Key = 'timeout'; Value = $null; OrganizationValueTestString = "'{0}' -le '00:15:00'"; ConfigSection = '/system.web/sessionState'}
 V-218775::*::HardCodedRule(WebAppPoolRule)@{DscResource = 'xWebAppPool'; Key = 'logEventOnRecycle'; Value = $null; OrganizationValueTestString = "'{0}' 'Value must contain Time and Schedule but can contain Requests, Memory, IsapiUnhealthy, OnDemand, ConfigChange, PrivateMemory'"}
-V-278953::*::.
+V-278953::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters'; ValueData = 2; ValueName = 'DisableServerHeader'; ValueType = 'Dword'}

Footnotes

1. That is actually somewhat untrue. There appears to be a misconfiguration in the old IIS Server rule, since the check/fix text is looking for <ValueData>2</ValueData> but the actual XML specifies <ValueData>1</ValueData>. In the patches I attach here, this is accounted for and the value is properly set to 2. ↩