Skip to content

A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.

An XCCDF Rule

Description

<VulnDiscussion>A DoD private website must use PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private websites. Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-218749r1022683_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable.
Note: If the server being reviewed is hosting SharePoint, this is Not Applicable.
Note: If certificate handling is performed at the Proxy/Load Balancer, this is Not Applicable.

Follow the procedures below for each site hosted on the IIS 10.0 web server: