UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A private IIS 8.5 website must only accept Secure Socket Layer connections.


Overview

Finding ID Version Rule ID IA Controls Severity
V-76779 IISW-SI-000203 SV-91475r2_rule Medium
Description
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.
STIG Date
IIS 8.5 Site Security Technical Implementation Guide 2019-01-08

Details

Check Text ( C-76435r2_chk )
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
Note: If SSL is installed on load balancer through which traffic is routed to the IIS 8.5 server, and the IIS 8.5 server ONLY receives traffic from the load balancer, the SSL requirement must be met on the load balancer.
Follow the procedures below for each site hosted on the IIS 8.5 web server:
Open the IIS 8.5 Manager.
Click the site name.
Double-click the "SSL Settings" icon.
Verify "Require SSL" check box is selected.
If the "Require SSL" check box is not selected, this is a finding.
Fix Text (F-83475r1_fix)
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name.

Double-click the "SSL Settings" icon.

Select "Require SSL" check box.

Select "Apply" from the "Actions" pane.