UCF STIG Viewer Logo

A private web sites authentication mechanism must use client certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6531 WG140 IIS6 SV-30046r1_rule IATS-1 IATS-2 Medium
Description
A DoD private web site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web sites.
STIG Date
IIS6 Site 2015-06-01

Details

Check Text ( C-37411r1_chk )
1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Directory Security tab.
2. Under the Secure communications area select the Edit button.
3. Ensure Require secure channel (SSL) and Require client certificates are checked.

If Require secure channel (SSL) and Require client certificates are not checked, this is a finding.
Fix Text (F-32647r1_fix)
1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Directory Security tab.
2. Under the Secure communications area select the Edit button.
3. Select Require secure channel (SSL) and Require client certificates > Press OK.