SV-218821r561041_rule
V-218821
SRG-APP-000439-WSR-000156
IIST-SV-000153
CAT I
10
Access the IIS 10.0 Web Server.
Access an administrator command prompt and type "regedit <enter>" to access the server's registry.
Navigate to the following registry paths and configure the "DisabledByDefault" REG_DWORD with the appropriate values:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
With a REG_DWORD value of "0" for "DisabledByDefault"
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
With a REG_DWORD value of "1" for "DisabledByDefault"
With a REG_DWORD value of "0" for "Enabled"
Access the IIS 10.0 Web Server.
Access an administrator command prompt and type "regedit <enter>" to access the server's registry.
Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
Verify a REG_DWORD value of "0" for "DisabledByDefault"
Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
Verify a REG_DWORD value of "1" for "DisabledByDefault"
Verify a REG_DWORD value of "0" for "Enabled"
If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding.
V-218821
False
IIST-SV-000153
Access the IIS 10.0 Web Server.
Access an administrator command prompt and type "regedit <enter>" to access the server's registry.
Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
Verify a REG_DWORD value of "0" for "DisabledByDefault"
Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
Verify a REG_DWORD value of "1" for "DisabledByDefault"
Verify a REG_DWORD value of "0" for "Enabled"
If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding.
M
4052