IIST-SI-000203 - A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.

NIST SP 800-52 specifies the preferred configurations for government systems.

Solution

Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Double-click the 'SSL Settings' icon.

Select 'Require SSL' check box.

Select 'Apply' from the 'Actions' pane.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y22M01_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000068, Rule-ID|SV-218737r558649_rule, STIG-ID|IIST-SI-000203, STIG-Legacy|SV-109299, STIG-Legacy|V-100195, Vuln-ID|V-218737

Plugin: Windows

Control ID: 8a439aaea9f82a948f1f6f706bef7d4ad380e83b6cbec0b9ee2172e46e231c22