STIGQter: STIG Summary: Microsoft IIS 8.5 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

An IIS 8.5 web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

DISA Rule

SV-214436r695334_rule

Vulnerability Number

V-214436

Group Title

SRG-APP-000439-WSR-000156

Rule Version

IISW-SV-000153

Severity

CAT I

CCI(s)

• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

10

Fix Recommendation

Access the IIS 8.5 Web Server.

Access an administrator command prompt and type "regedit <enter>" to access the server's registry.

Navigate to the following registry paths and configure the REG_DWORD with the appropriate values:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

With a REG_DWORD value of "1" for "Enabled"

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

With a REG_DWORD value of "1" for "DisabledByDefault"

With a REG_DWORD value of "0" for "Enabled"

Check Contents

Access the IIS 8.5 Web Server.

Access an administrator command prompt and type "regedit <enter>" to access the server's registry.

Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

Verify a REG_DWORD value of "1" for "Enabled"

Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Verify a REG_DWORD value of "1" for "DisabledByDefault" for each protocol.

Verify a REG_DWORD value of "0" for "Enabled" for each protocol.


If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding.

Vulnerability Number

V-214436

Documentable

False

Rule Version

IISW-SV-000153

Severity Override Guidance

Access the IIS 8.5 Web Server.

Access an administrator command prompt and type "regedit <enter>" to access the server's registry.

Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

Verify a REG_DWORD value of "1" for "Enabled"

Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Verify a REG_DWORD value of "1" for "DisabledByDefault" for each protocol.

Verify a REG_DWORD value of "0" for "Enabled" for each protocol.


If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding.

Check Content Reference

M

Target Key

4000

Comments