STIGQter: STIG Summary: Microsoft IIS 8.5 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 8.5 web server must perform RFC 5280-compliant certification path validation.

DISA Rule

SV-214415r508658_rule

Vulnerability Number

V-214415

Group Title

SRG-APP-000175-WSR-000095

Rule Version

IISW-SV-000129

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Double-click the "Server Certificate" icon.

Import a valid DoD certificate and remove any non-DoD certificates.

Check Contents

Open the IIS 8.5 Manager.
Click the IIS 8.5 web server name.
Double-click the "Server Certificate" icon.
Double-click each certificate and verify the certificate path is to a DoD root CA.
If the “Issued By” field of the PKI certificate being used by the IIS 8.5 server/site does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.

Vulnerability Number

V-214415

Documentable

False

Rule Version

IISW-SV-000129

Severity Override Guidance

Open the IIS 8.5 Manager.
Click the IIS 8.5 web server name.
Double-click the "Server Certificate" icon.
Double-click each certificate and verify the certificate path is to a DoD root CA.
If the “Issued By” field of the PKI certificate being used by the IIS 8.5 server/site does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.

Check Content Reference

M

Target Key

4000

Comments