Rule ID
SV-218749r1210386_rule
Version
V2R16
A DOD private website must use PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private websites. Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186
Note: If any of the following is true, this requirement is Not Applicable: - Authentication is offloaded to an external enterprise authentication mechanism that is performing certificate handling. - The server being reviewed is a public IIS 10.0 web server. - The server being reviewed is hosting SharePoint. - The server being reviewed is hosting WSUS. - Certificate handling is performed at the Proxy/Load Balancer. - The server being reviewed is hosting Simple Certificate Enrollment Services (SCEP). - The server being reviewed is hosting Network Device Enrollment Services (NDES). - The server is providing OCSP and not otherwise hosting any content. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. If the "Clients Certificate Required" check box is not selected, this is a finding.
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. Select "Apply" from the "Actions" pane.