IIST-SI-000242 - The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.

Information

When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. User identities and passwords stored on the hard drive of the hosting hardware must be encrypted to protect the data from easily being discovered and used by an unauthorized user to access the hosted applications. The cryptographic libraries and functionality used to store and retrieve the user identifiers and passwords must be part of the web server.

Satisfies: SRG-APP-000429-WSR-000113, SRG-APP-000439-WSR-000151, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182

Solution

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Double-click the 'SSL Settings' icon under the 'IIS' section.

Select the 'Require SSL' setting.

Select the 'Client Certificates Required' setting.

Click 'Apply' in the 'Actions' pane.

Click the site under review.

Select 'Configuration Editor' under the 'Management' section.

From the 'Section:' drop-down list at the top of the configuration editor, locate 'system.webServer/security/access'.

Click on the drop-down list for 'sslFlags'.

Select the 'Ssl128' check box.

Click 'Apply' in the 'Actions' pane.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y20M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CAT|II, CCI|CCI-002476, Rule-ID|SV-218768r558649_rule, STIG-ID|IIST-SI-000242, STIG-Legacy|SV-109361, STIG-Legacy|V-100257, Vuln-ID|V-218768

Plugin: Windows

Control ID: 2945762d97a0f2a677ed9a5fffbb94c36e48547385c4929806570be352c2850c