Details
A DoD private website must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private websites.
Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186
Solution
Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable.
Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.
Follow the procedures below for each site hosted on the IIS 8.5 web server:
Open the IIS 8.5 Manager.
Double-click the ‘SSL Settings’ icon.
Verify the ‘Clients Certificate Required’ check box is selected.
Select ‘Apply’ from the ‘Actions’ pane.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication, System and Communications Protection.This control applies to the following type of system Windows.
References
- 800-53|IA-5(1)(c)
- 800-53|SC-23(3)
- 800-53|SC-23(5)
- CAT|II
- CCI|CCI-000197
- CCI|CCI-001188
- CCI|CCI-002470
- Rule-ID|SV-214460r508659_rule
- STIG-ID|IISW-SI-000220
- STIG-Legacy|SV-91505
- STIG-Legacy|V-76809
- Vuln-ID|V-214460