STIGQter STIGQter: STIG Summary: Microsoft IIS 8.5 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.

DISA Rule

SV-214460r508659_rule

Vulnerability Number

V-214460

Group Title

SRG-APP-000172-WSR-000104

Rule Version

IISW-SI-000220

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Double-click the "SSL Settings" icon.
Verify the "Clients Certificate Required" check box is selected.
Select "Apply" from the "Actions" pane.

Check Contents

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Double-click the "SSL Settings" icon.
Verify the "Clients Certificate Required" check box is selected.

If the "Clients Certificate Required" check box is not selected, this is a finding.

Vulnerability Number

V-214460

Documentable

False

Rule Version

IISW-SI-000220

Severity Override Guidance

Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Double-click the "SSL Settings" icon.
Verify the "Clients Certificate Required" check box is selected.

If the "Clients Certificate Required" check box is not selected, this is a finding.

Check Content Reference

M

Target Key

4001

Comments