UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A private web-sites authentication mechanism must use client certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6531 WG140 IIS7 SV-32380r3_rule IATS-1 IATS-2 Medium
Description
A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web-sites.
STIG Date
IIS 7.0 WEB SITE STIG 2016-02-11

Details

Check Text ( C-32933r2_chk )
1. Open the IIS Manager.
2. Click the site name under review.
3. Double click the SSL icon.
4. Ensure Clients Certificate Required is checked. If not, this is a finding.

NOTE: If the site has operational reasons to set Clients Certificate Required to unchecked, this vulnerability can be documented locally by the ISSM/ISSO.
Fix Text (F-28970r1_fix)
1. Open the IIS Manager.
2. Click the site name under review.
3. Double click the SSL icon.
4. Click Clients Certificate Required button.