Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The private web server must use an approved DoD certificate validation process.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13672 | WG145 IIS7 | SV-32479r1_rule | IATS-1 IATS-2 | Medium |
| Description |
|---|
| The Certificate Revocation List (CRL) is used for a number of reasons, for example, when an employee leaves, certificates expire, or if certificate keys become compromised and are reissued. Without the use of a certificate validation process, the server is vulnerable to accepting expired or revoked certificates. This could allow unauthorized individuals access to the web server. The CRL is a repository comprised of revoked certificate data, usually from many contributing CRL sources. Sites using an Online Certificate Status Protocol (OCSP) rather than CRL download to validate certificates will have obtained and installed an OCSP validation application. |
| STIG | Date |
|---|---|
| IIS 7.0 WEB SERVER STIG | 2013-02-01 |
Details
| Check Text ( C-32794r1_chk ) |
|---|
| Verify Certificate Revocation List (CRL) validation is enabled on the server. Open a Command Prompt and enter the following command: netsh http show sslcert Note the value assigned to the Verify Client Certificate Revocation element. If the value of the Verify Client Certificate Revocation element is not enabled, this is a finding. |
| Fix Text (F-29073r1_fix) |
|---|
| Configure the web server to utilize an approved certificate validation process. |