STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 23 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft IIS 10.0 Site Security Technical Implementation Guide

V-218749

CAT II (Medium)

A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.

Rule ID

SV-218749r1210386_rule

STIG

Microsoft IIS 10.0 Site Security Technical Implementation Guide

Version

V2R16

CCIs

CCI-000197CCI-001188CCI-002470

Discussion

A DOD private website must use PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private websites. Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186

Check Content

Note: If any of the following is true, this requirement is Not Applicable:
- Authentication is offloaded to an external enterprise authentication mechanism that is performing certificate handling.
- The server being reviewed is a public IIS 10.0 web server.
- The server being reviewed is hosting SharePoint.
- The server being reviewed is hosting WSUS.
- Certificate handling is performed at the Proxy/Load Balancer.
- The server being reviewed is hosting Simple Certificate Enrollment Services (SCEP).
- The server being reviewed is hosting Network Device Enrollment Services (NDES).
- The server is providing OCSP and not otherwise hosting any content.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Double-click the "SSL Settings" icon.

Verify the "Clients Certificate Required" check box is selected.

If the "Clients Certificate Required" check box is not selected, this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Double-click the "SSL Settings" icon.

Verify the "Clients Certificate Required" check box is selected.

Select "Apply" from the "Actions" pane.