Details
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. User identities and passwords stored on the hard drive of the hosting hardware must be encrypted to protect the data from easily being discovered and used by an unauthorized user to access the hosted applications. The cryptographic libraries and functionality used to store and retrieve the user identifiers and passwords must be part of the web server.
Satisfies: SRG-APP-000429-WSR-000113, SRG-APP-000439-WSR-000151, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182
Solution
Follow the procedures below for each site hosted on the IIS 10.0 web server:
Open the IIS 10.0 Manager.
Double-click the ‘SSL Settings’ icon under the ‘IIS’ section.
Select the ‘Require SSL’ setting.
Select the ‘Client Certificates Required’ setting.
Click ‘Apply’ in the ‘Actions’ pane.
Click the site under review.
Select ‘Configuration Editor’ under the ‘Management’ section.
From the ‘Section:’ drop-down list at the top of the configuration editor, locate ‘system.webServer/security/access’.
Click on the drop-down list for ‘sslFlags’.
Select the ‘Ssl128’ check box.
Click ‘Apply’ in the ‘Actions’ pane.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.
References
- 800-53|SC-28(1)
- CAT|II
- CCI|CCI-002476
- Rule-ID|SV-218768r558649_rule
- STIG-ID|IIST-SI-000242
- STIG-Legacy|SV-109361
- STIG-Legacy|V-100257
- Vuln-ID|V-218768