UCF STIG Viewer Logo

A private web-sites authentication mechanism must use client certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6531 WG140 IIS7 SV-32380r4_rule Medium
Description
A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web-sites.
STIG Date
IIS 7.0 Site STIG 2019-05-15

Details

Check Text ( C-32933r3_chk )
1. Open the IIS Manager.
2. Click the site name under review.
3. Double click the SSL Settings icon.
4. Ensure Clients Certificate Required is checked. If not, this is a finding.

NOTE: If the site has operational reasons to set Clients Certificate Required to unchecked, this vulnerability can be documented locally by the ISSM/ISSO.
Fix Text (F-28970r2_fix)
1. Open the IIS Manager.
2. Click the site name under review.
3. Double click the SSL Settings icon.
4. Click Clients Certificate Required button.