STIGQter: STIG Summary: Microsoft IIS 10.0 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 10.0 web server must perform RFC 5280-compliant certification path validation.

DISA Rule

SV-218800r561041_rule

Vulnerability Number

V-218800

Group Title

SRG-APP-000175-WSR-000095

Rule Version

IIST-SV-000129

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the "Server Certificate" icon.

Import a valid DoD certificate and remove any non-DoD certificates.

Check Contents

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the "Server Certificate" icon.

Double-click each certificate and verify the certificate path is to a DoD root CA.

If the “Issued By” field of the PKI certificate being used by the IIS 10.0 server/site does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.

Vulnerability Number

V-218800

Documentable

False

Rule Version

IIST-SV-000129

Severity Override Guidance

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the "Server Certificate" icon.

Double-click each certificate and verify the certificate path is to a DoD root CA.

If the “Issued By” field of the PKI certificate being used by the IIS 10.0 server/site does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.

Check Content Reference

M

Target Key

4052

Comments