2.6 Ensure transport layer security for 'basic authentication' is configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted, especially in cases where the site is publicly accessible and is recommended that TLS be configured and required for any Site or Application using Basic Authentication.
Rationale:
Credentials sent in clear text can be easily intercepted by malicious code or persons. Enforcing the use of Transport Layer Security will help mitigate the chances of hijacked credentials.

Solution

To protect Basic Authentication with transport layer security:
1. Open IIS Manager
2. In the Connections pane on the left, select the server to be configured
3. In the Connections pane, expand the server, then expand Sites and select the site to be configured
4. In the Actions pane, click Bindings; the Site Bindings dialog appears
5. If an HTTPS binding is available, click Close and see below 'To require SSL'
6. If no HTTPS binding is visible, perform the following steps
To add an HTTPS binding:
1. In the Site Bindings dialog, click Add; the Add Site Binding dialog appears
2. Under Type, select https
3. Under SSL certificate, select an X.509 certificate
4. Click OK, then close
To require SSL:
1. In Features View, double-click SSL Settings
2. On the SSL Settings page, select Require SSL.
3. In the Actions pane, click Apply
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website name>' -filter 'system.webServer/security/access' -name 'sslFlags' -value 'Ssl'
Default Value:
Transport Layer Security is not enabled by default when Basic Authentication is configured.

See Also

https://workbench.cisecurity.org/files/2297