A private web server will have a valid DoD server certificate.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2263 | WG350 | SV-2263r1_rule | Medium |
| Description |
|---|
| This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not for the server (Certificate belongs to), if the certificate is not issued by DoD (Certificate was issued by), or if the current date is not included in the valid date (Certificate is valid from), then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised. |
| STIG | Date |
|---|---|
| IIS 7.0 Site STIG | 2019-03-22 |
Details
| Check Text ( C-29416r1_chk ) |
|---|
| Open a browser window and navigate to the site under review. Double-click the lock icon in order to view the site certificate or, if necessary, click ViewCertificate from the context menu. Select the Details tab in the Certificate dialog window. Left-click the Issuer field and observe its contents. If the certificate was not issued by the DoD then this is a finding. |
| Fix Text (F-26866r1_fix) |
|---|
| Configure the private web site to use a valid DoD certificate. |