Details

Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.

Solution

Configure DoD Private Web Servers to conduct certificate revocation checking utilizing certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP).

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_WIN_V1R13_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

• 800-53|SC-13.
• CAT|II
• Rule-ID|SV-33065r2_rule
• STIG-ID|WG145_W22
• Vuln-ID|V-13672

Source

• Tenable.com/audits