Title

The private web server must use an approved DoD certificate validation process. (Cat II impact)

Discussion

Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.

Check Content

1. Select Start > Select Run > Enter the path to the Metabase.xml file (default is %systemroot\system32\inetsrv\Metabase.xml) 2. Select Cntrl+F > Enter CertCheckMode. 3. Ensure ServerComment property, a few lines after the CertCheckMode property, contains the name of the web site being reviewed. 3. Verify this property is set to 0. If the value of this property is not set to 0, this is a finding. NOTE: The value for this parameter defaults to 0, which means the CRL checking is enabled. So, if the web site being reviewed is missing this parameter, this would not be a finding. NOTE: If the property exists in both the server location, LM/W3SVC/CertCheckMode, and at the site level, W3SVC/(site name)/CertCheckMode, the value at the site will override the value at the server level. So, in this case, if the server is set to 0, and the site is set to 1, it would be a finding for the site being reviewed.

Fix Text

Configure the DoD Private Web Server to conduct certificate revocation checking.

Additional Identifiers

Rule ID: SV-28796r1_rule

Vulnerability ID: V-13672

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.