← Back to Microsoft Internet Explorer 11 Security Technical Implementation Guide

V-223016

CAT III (Low)

Check for publishers certificate revocation must be enforced.

Rule ID

SV-223016r961038_rule

STIG

Microsoft Internet Explorer 11 Security Technical Implementation Guide

Version

V2R7

CCIs

CCI-000185

Discussion

Check for publisher's certificate revocation options should be enforced to ensure all PKI signed objects are validated. Satisfies: SRG-APP-000605

Check Content

If the system is on the SIPRNet, this requirement is NA.

Open Internet Explorer.
From the menu bar, select "Tools".
From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window, scroll down to the "Security" category, and verify the "Check for publisher's certificate revocation" box is selected.

Procedure: Use the Windows Registry Editor to navigate to the following key:
 HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria

If the value "State" is "REG_DWORD = 23C00", this is not a finding.

Fix Text

If the system is on the SIPRNet, this requirement is NA.

Open Internet Explorer.
From the menu bar, select "Tools".
From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab from the "Advanced" tab window, scroll down to the "Security" category, and select the "Check for publisher's certificate revocation" box.

Note: Manual entry in the registry key:

HKCU\Software\Microsoft\Windows\Current Version\WinTrust\Trust Providers\Software Publishing for the value "State", set to "REG_DWORD = 23C00", may first be required.