WG145 IIS6 - The private web server must use an approved DoD certificate validation process. - 'Check W3SVC CertCheckMode'

Information

Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.
NOTE: This check reviews the web service as the web sites do not have 'CertCheckMode' enabled.

Solution

Configure the DoD Private Web Server to conduct certificate revocation checking.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2), CAT|II, Rule-ID|SV-28796r1_rule, STIG-ID|WG145_IIS6, Vuln-ID|V-13672

Plugin: Windows

Control ID: 31582ab8a76b5082c9da85b5cd099a8169f5d3410ac8a8571b2adab6acb6d6ab