IIST-SV-000153 - An IIS 10.0 web server must maintain the confidentiality of controlled information during transmission through the use of an approved Transport Layer Security (TLS) version - TLS version

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.

NIST SP 800-52 specifies the preferred configurations for government systems.

Solution

Access the IIS 10.0 Web Server.

Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

Create a REG_DWORD named 'DisabledByDefault' with a value of '0'.
Create a REG_DWORD named 'Enabled' with a value of '1'.

Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

For each protocol:
Create a REG_DWORD named 'DisabledByDefault' with a value of '1'.
Create a REG_DWORD named 'Enabled' with a value of '0'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y24M07_STIG.zip

Item Details

References: CAT|I, CCI|CCI-002418, Rule-ID|SV-218821r961632_rule, STIG-ID|IIST-SV-000153, STIG-Legacy|SV-109281, STIG-Legacy|V-100177, Vuln-ID|V-218821

Plugin: Windows

Control ID: fcbdcdf486cbd1f1fe5a05fcc5d2fdc79271650fb4fca95aa5f25634bf8cfb48