The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.
An XCCDF Rule
Description
<VulnDiscussion>TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-218768r1022705_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. In this case, this requirement is Not Applicable.
Note: If this is a public-facing web server, this requirement is Not Applicable.
Note: If this server is hosting WSUS, this requirement is Not Applicable.
Note: If the server being reviewed is hosting SharePoint, this is Not Applicable.
Follow the procedures below for each site hosted on the IIS 10.0 web server: