UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The private web server must use an approved DoD certificate validation process.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13672 WG145 IIS7 SV-32479r2_rule IATS-1 IATS-2 Medium
Description
The Certificate Revocation List (CRL) is used for a number of reasons, for example, when an employee leaves, certificates expire, or if certificate keys become compromised and are reissued. Without the use of a certificate validation process, the server is vulnerable to accepting expired or revoked certificates. This could allow unauthorized individuals access to the web server. The CRL is a repository comprised of revoked certificate data, usually from many contributing CRL sources. Sites using an Online Certificate Status Protocol (OCSP) rather than CRL download to validate certificates will have obtained and installed an OCSP validation application.
STIG Date
IIS 7.0 WEB SERVER STIG 2014-03-11

Details

Check Text ( C-32794r1_chk )
Verify Certificate Revocation List (CRL) validation is enabled on the server.
Open a Command Prompt and enter the following command:

netsh http show sslcert

Note the value assigned to the Verify Client Certificate Revocation element. If the value of the Verify Client Certificate Revocation element is not enabled, this is a finding.
Fix Text (F-29073r3_fix)
Using vendor documentation as guidance, reconfigure the web server to utilize certificate with an approved certificate validation process:
netsh http add sslcert

Alternatively, configure existing certificate to validate certifcate revocation:

Open registry, locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443\DefaultSslCertCheckMode
Modify the value to 0
Restart server