A web server that utilizes PKI as an authentication mechanism must utilize subscriber certificates issued from a DoD-authorized Certificate Authority.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6531 | WG140 | SV-6627r3_rule | IATS-1 IATS-2 | Medium |
| Description |
|---|
| A DoD private web server, existing within and available across the NIPRNet, must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-29008r1_chk ) |
|---|
| The following checks are only necessary if the web server utilizes PKI for authentication. Please note the requirements for the utilization of PKI in the vulnerability discussion. If PKI is not utilized, the finding is Not Applicable. Query the IAO, the SA, the web administrator, or developers as necessary to determine if the web server is configured to require DoD-authorized PKI certificates for access. The web administrator should be questioned to determine if DoD-authorized PKI certificates are being utilized for access to the web server. Ask for a list of URLs for web sites on the server and try to access random URLs from another machine. If upon accessing the private web site and a prompt for a PKI certificate does not appear, this is a finding. |
| Fix Text (F-26020r1_fix) |
|---|
| Configure the web site to require DoD-authorized PKI certificates for access. |