Title

A private web site must utilize certificates from a trusted DoD CA. (Cat II impact)

Discussion

The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.

Check Content

1. Open the IIS Manager > Right click on the site being reviewed > Select Properties > Select the Directory Security tab. 2. Under Secure communications > Select Edit > if the Enable certificate trust list is checked, Select Edit. 3. When prompted by the certificate trust list wizard select Next. If there are trusted CAs in this list that are not DoD, this is a finding. NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function. NOTE: The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs.

Fix Text

Configure the certificate trust list to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).

Additional Identifiers

Rule ID: SV-14206r1_rule

Vulnerability ID: V-13620

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.