UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure applications requiring server authentication are PK-enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6168 APP3300 SV-6168r1_rule IATS-1 IATS-2 Medium
Description
Applications not using PKI are at risk of containing many password vulnerabilities. PKI is the preferred method of authentication.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-2944r1_chk )
Ask the application SA or developer if the application enables clients to authenticate to the server or the application it is communicating with. The most common example of this type of authentication is when a client validates a server’s PKI certificate when initiating an SSL or IPSEC connection.

1) If the SA or developer answers that this capability is not present, this is a finding.

If the SA or developer states that the capability is present, validate this by logging on to each component that supports authentication of servers. For web applications, note cases in which the client browser issues a warning that the server’s certificate is not valid. Reasons include:

• A trusted certificate authority did not issue the certificate
• The certificate has expired
• The name of the certificate does not match the URL of the page you are trying to view

The client application should provide a function to allow or disallow the server access to the client application. The server must be setup with a certificate for identification.

Determine if the application checks for server authentication before allowing the user to continue. The server’s certificate should be checked by the user’s web browser or client application.

2) If there is no server certificate or the client application does not validate the server certificate, it is a finding.
Fix Text (F-17019r1_fix)
Enable the application to use PKI for authentication.