An error occurred:

Check: IISW-SI-000220

Microsoft IIS 8.5 Site STIG: IISW-SI-000220 (in versions v2 r9 through v2 r8)

Title

A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity. (Cat II impact)

Discussion

A DoD private website must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private websites. Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186

Check Content

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. Note: If the server being reviewed is hosting Exchange, this is Not Applicable. Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Note: If the server being reviewed is hosting WSUS, this is Not Applicable. Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. If the "Clients Certificate Required" check box is not selected, this is a finding.

Fix Text

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. Note: If the server is hosting Exchange, this is Not Applicable. Note: If the server is hosting SharePoint, this is Not Applicable. Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. Select "Apply" from the "Actions" pane.

Additional Identifiers

Rule ID: SV-214460r903091_rule

Vulnerability ID: V-214460

Group Title: SRG-APP-000172-WSR-000104

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000197

The information system, for password-based authentication, transmits only cryptographically-protected passwords.
CCI-001188

The information system generates unique session identifiers for each session with organization-defined randomness requirements.
CCI-002470

The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5 (1)

Password-Based Authentication
SC-23 (3)

Unique Session Identifiers With Randomization
SC-23 (5)

Allowed Certificate Authorities