Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
A private web-sites authentication mechanism must use client certificates.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6531 | WG140 IIS7 | SV-32380r4_rule | Medium |
| Description |
|---|
| A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web-sites. |
| STIG | Date |
|---|---|
| IIS 7.0 WEB SITE STIG | 2017-12-21 |
Details
| Check Text ( C-32933r3_chk ) |
|---|
| 1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings icon. 4. Ensure Clients Certificate Required is checked. If not, this is a finding. NOTE: If the site has operational reasons to set Clients Certificate Required to unchecked, this vulnerability can be documented locally by the ISSM/ISSO. |
| Fix Text (F-28970r2_fix) |
|---|
| 1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Settings icon. 4. Click Clients Certificate Required button. |