The private web server must use an approved DoD client certificate validation process.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13672	WG145 IIS7	SV-32479r1_rule	IATS-1 IATS-2	Medium

Description
Without the use of a client certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This could allow unauthorized individuals access to the web server. The Certificate Revocation List (CRL) is a repository comprised of data usually from many contributing CRL sources. Certificate identifiers may arrive at the CRL for a number of reasons, for example, when an employee leaves, certificates expire, or if certificate keys become compromised and are reissued.

Description

Without the use of a client certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This could allow unauthorized individuals access to the web server. The Certificate Revocation List (CRL) is a repository comprised of data usually from many contributing CRL sources. Certificate identifiers may arrive at the CRL for a number of reasons, for example, when an employee leaves, certificates expire, or if certificate keys become compromised and are reissued.

STIG	Date
IIS 7.0 WEB SERVER STIG	2011-08-19

Details

Check Text ( C-32794r1_chk )
Verify Client Certificate Revocation is enabled on the server. 1. Open a Command Prompt and enter the following command: netsh http show sslcert 2. Note the value assigned to the Verify Client Certificate Revocation element. If the value of the Verify Client Certificate Revocation element is not enabled, this is a finding.

Fix Text (F-29073r1_fix)
Configure the web server to utilize an approved certificate validation process.