Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-214436 | IISW-SV-000153 | SV-214436r879810_rule | High |
Description |
---|
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. |
STIG | Date |
---|---|
Microsoft IIS 8.5 Server Security Technical Implementation Guide | 2022-12-09 |
Check Text ( C-15646r850607_chk ) |
---|
Access the IIS 8.5 Web Server. Access an administrator command prompt and type "regedit Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Verify a REG_DWORD value of "1" for "Enabled" Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server Verify a REG_DWORD value of "1" for "DisabledByDefault" for each protocol. Verify a REG_DWORD value of "0" for "Enabled" for each protocol. If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding. |
Fix Text (F-15644r850608_fix) |
---|
Access the IIS 8.5 Web Server. Access an administrator command prompt and type "regedit Navigate to the following registry paths and configure the REG_DWORD with the appropriate values: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server With a REG_DWORD value of "1" for "Enabled" HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server With a REG_DWORD value of "1" for "DisabledByDefault" With a REG_DWORD value of "0" for "Enabled" |