UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-76809 IISW-SI-000220 SV-91505r1_rule Medium
Description
A DoD private website must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private websites. Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186
STIG Date
IIS 8.5 Site Security Technical Implementation Guide 2018-09-18

Details

Check Text ( C-76465r2_chk )
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Double-click the "SSL Settings" icon.

Verify the "Clients Certificate Required" check box is selected.

If the "Clients Certificate Required" check box is not selected, this is a finding.
Fix Text (F-83505r1_fix)
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Double-click the "SSL Settings" icon.

Verify the "Clients Certificate Required" check box is selected.

Select "Apply" from the "Actions" pane.