IISW-SI-000203 - A private IIS 8.5 website must only accept Secure Socket Layer connections.

Information

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.

NIST SP 800-52 specifies the preferred configurations for government systems.

Solution

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Click the site name.
Double-click the 'SSL Settings' icon.
Select 'Require SSL' check box.
Select 'Apply' from the 'Actions' pane.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y23M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-214446r903081_rule, STIG-ID|IISW-SI-000203, STIG-Legacy|SV-91475, STIG-Legacy|V-76779, Vuln-ID|V-214446

Plugin: Windows

Control ID: 0779bdf155c6f65b20b2a8a81f155d153deff770a4208713d6aa254f5620bcbe