2.3 Ensure 'forms authentication' require SSL - Applications

Information

Forms-based authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL, especially in cases where the site is publicly accessible. It is recommended that communications with any portion of a site using Forms Authentication be encrypted using SSL.

NOTE Due to identified security vulnerabilities, SSL no longer provides adequate protection for a sensitive information.

Rationale:

Requiring SSL for Forms Authentication will protect the confidentiality of credentials during the login process, helping mitigate the risk of stolen user information.

Impact:

None.

Solution

Open IIS Manager and navigate to the appropriate tier

In Features View, double-click Authentication

On the Authentication page, select Forms Authentication

In the Actions pane, click Edit

Check the Requires SSL checkbox in the cookie settings section, click OK

OR

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config -section:system.web/authentication /mode:Forms

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site' -filter 'system.web/authentication/forms' -name 'requireSSL' -value 'True'

Default Value:

SSL is not required when Forms Authentication is enabled.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: e5c2d9de86850d1b1a99e96becc5ec81087adeceb1f540db7487cbcc4f28b681