The IIS 10.0 web server must perform RFC 5280-compliant certification path validation.

An XCCDF Rule

Description

<VulnDiscussion>This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the website to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid, and therefore; the entire purpose of using a certificate is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-218800r879612_rule
Severity: Medium
References: CCI-000185
Updated: 8 months ago

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the "Server Certificate" icon.
Import a valid DoD certificate and remove any non-DoD certificates.

The IIS 10.0 web server must perform RFC 5280-compliant certification path validation.

Description

Remediation - Manual Procedure