Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-76779 | IISW-SI-000203 | SV-91475r2_rule | Medium |
Description |
---|
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems. |
STIG | Date |
---|---|
IIS 8.5 Site Security Technical Implementation Guide | 2019-03-20 |
Check Text ( C-76435r2_chk ) |
---|
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. Note: If SSL is installed on load balancer through which traffic is routed to the IIS 8.5 server, and the IIS 8.5 server ONLY receives traffic from the load balancer, the SSL requirement must be met on the load balancer. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding. |
Fix Text (F-83475r1_fix) |
---|
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Double-click the "SSL Settings" icon. Select "Require SSL" check box. Select "Apply" from the "Actions" pane. |