A private web server must have a valid server certificate.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2263	WG350 IIS7	SV-32531r2_rule		Medium

Description
This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.

Description

This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.

STIG	Date
IIS 7.0 Site STIG	2019-05-15

Details

Check Text ( C-33498r1_chk )
1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Double-Click each certificate and verify the certificate path is to a DoD root CA. If not, this is a finding.

Fix Text (F-29200r1_fix)
1. Open the IIS Manager. 2. Click on the Server name. 3. Double-Click the Server Certificate icon. 4. Import a valid DoD certificate and remove any non-DoD certificates.