A private IIS 8.5 website must only accept Secure Socket Layer connections.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-76779	IISW-SI-000203	SV-91475r2_rule		Medium

Description
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.

Description

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.

STIG	Date
IIS 8.5 Site Security Technical Implementation Guide	2019-01-08

Details

Check Text ( C-76435r2_chk )
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. Note: If SSL is installed on load balancer through which traffic is routed to the IIS 8.5 server, and the IIS 8.5 server ONLY receives traffic from the load balancer, the SSL requirement must be met on the load balancer. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding.

Check Text ( C-76435r2_chk )

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
Note: If SSL is installed on load balancer through which traffic is routed to the IIS 8.5 server, and the IIS 8.5 server ONLY receives traffic from the load balancer, the SSL requirement must be met on the load balancer.
Follow the procedures below for each site hosted on the IIS 8.5 web server:
Open the IIS 8.5 Manager.
Click the site name.
Double-click the "SSL Settings" icon.
Verify "Require SSL" check box is selected.
If the "Require SSL" check box is not selected, this is a finding.

Fix Text (F-83475r1_fix)
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Double-click the "SSL Settings" icon. Select "Require SSL" check box. Select "Apply" from the "Actions" pane.