Check: IIST-SI-000220
Microsoft IIS 10.0 Site STIG:
IIST-SI-000220
(in versions v2 r9 through v2 r8)
Title
A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity. (Cat II impact)
Discussion
A DoD private website must use PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private websites. Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186
Check Content
Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable. Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Note: If the server being reviewed is hosting WSUS, this is Not Applicable. Note: If certificate handling is performed at the Proxy/Load Balancer, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. If the "Clients Certificate Required" check box is not selected, this is a finding.
Fix Text
Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable. Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Note: If certificate handling is performed at the Proxy/Load Balancer, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. Select "Apply" from the "Actions" pane.
Additional Identifiers
Rule ID: SV-218749r903117_rule
Vulnerability ID: V-218749
Group Title: SRG-APP-000172-WSR-000104
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000197 |
For password-based authentication, transmit passwords only over cryptographically-protected channels. |
CCI-001188 |
Generate a unique session identifier for each session with organization-defined randomness requirements. |
CCI-002470 |
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions. |