UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IIS 8.5 web server must perform RFC 5280-compliant certification path validation.


Overview

Finding ID Version Rule ID IA Controls Severity
V-214415 IISW-SV-000129 SV-214415r879612_rule Medium
Description
This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the website to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.
STIG Date
Microsoft IIS 8.5 Server Security Technical Implementation Guide 2023-03-09

Details

Check Text ( C-15625r310293_chk )
Open the IIS 8.5 Manager.
Click the IIS 8.5 web server name.
Double-click the "Server Certificate" icon.
Double-click each certificate and verify the certificate path is to a DoD root CA.
If the “Issued By” field of the PKI certificate being used by the IIS 8.5 server/site does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.
Fix Text (F-15623r310294_fix)
Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Double-click the "Server Certificate" icon.

Import a valid DoD certificate and remove any non-DoD certificates.