Details

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.

NIST SP 800-52 specifies the preferred configurations for government systems.

Solution

Note: If the server being reviewed is a private IIS 8.5 web server, this is Not Applicable.

Note: If the server is hosting WSUS, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Click the site name.
Double-click the ‘SSL Settings’ icon.
Select ‘Require SSL’ check box.
Select ‘Apply’ from the ‘Actions’ pane.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y20M10_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.

References

• 800-53|AC-17(2)
• CAT|II
• CCI|CCI-000068
• Rule-ID|SV-214447r539448_rule
• STIG-ID|IISW-SI-000204
• STIG-Legacy|SV-91477
• STIG-Legacy|V-76781
• Vuln-ID|V-214447

Source

• Tenable.com/audits