Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6531 | WG140 IIS7 | SV-32380r3_rule | IATS-1 IATS-2 | Medium |
Description |
---|
A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web-sites. |
STIG | Date |
---|---|
IIS 7.0 WEB SITE STIG | 2015-06-01 |
Check Text ( C-32933r2_chk ) |
---|
1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL icon. 4. Ensure Clients Certificate Required is checked. If not, this is a finding. NOTE: If the site has operational reasons to set Clients Certificate Required to unchecked, this vulnerability can be documented locally by the ISSM/ISSO. |
Fix Text (F-28970r1_fix) |
---|
1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL icon. 4. Click Clients Certificate Required button. |