WG340 IIS6 - A private web server must utilize an approved TLS version. - 'SSL Enabled'

Information

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.

FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.

Solution

1. Obtain and install a server certificate from a .mil Certificate Authority or approved DoD ECA.
2. Open the IIS Manager > right click on the website to be examined > select properties > select the Directory Security tab > select the Edit button in the Secure communications section.
3. Select Require secure channel (SSL) and Require 128-bit encryption check boxes.
4. Set the version of SSL/TLS by creating and setting the following registry to not allow anything lower than TLS. Ensure the following value exists in each of the keys:

Enabled REG_DWORD 0

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server

The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8(1), CAT|II, Rule-ID|SV-28468r2_rule, STIG-ID|WG340_IIS6, Vuln-ID|V-2262

Plugin: Windows

Control ID: 28b360c1a00b35147b0bb4526bb94dea38398aafb2a9ba3f5f16af620361c13f