Details

Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.

Solution

Set the SSLVerifyClient directive to ‘require’.

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_WIN_V1R13_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

• 800-53|SC-8(1)
• CAT|II
• Rule-ID|SV-33106r1_rule
• STIG-ID|WG140_W22
• Vuln-ID|V-6531

Source

• Tenable.com/audits