Information
Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted, especially in cases where the site is publicly accessible and is recommended that TLS be configured and required for any Site or Application using Basic Authentication.
Rationale:
Credentials sent in clear text can be easily intercepted by malicious code or persons. Enforcing the use of Transport Layer Security will help mitigate the chances of hijacked credentials.
Impact:
Credentials will not be passed across the network in plain text.
Solution
To protect Basic Authentication with transport layer security:
Open IIS Manager
In the Connections pane on the left, select the server to be configured
In the Connections pane, expand the server, then expand Sites and select the site to be configured
In the Actions pane, click Bindings; the Site Bindings dialog appears
If an HTTPS binding is available, click Close and see below 'To require SSL'
If no HTTPS binding is visible, perform the following steps
To add an HTTPS binding:
In the Site Bindings dialog, click Add; the Add Site Binding dialog appears
Under Type, select https
Under SSL certificate, select an X.509 certificate
Click OK, then close
To require SSL:
In Features View, double-click SSL Settings
On the SSL Settings page, select Require SSL.
In the Actions pane, click Apply
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website name>' -filter 'system.webServer/security/access' -name 'sslFlags' -value 'Ssl'
Default Value:
Transport Layer Security is not enabled by default when Basic Authentication is configured.