STIGQter: STIG Summary: Microsoft Internet Explorer 11 Security Technical Implementation Guide Version: 1 Release: 19 Benchmark Date: 24 Jul 2020:

Check for publishers certificate revocation must be enforced.

DISA Rule

SV-59341r4_rule

Vulnerability Number

V-46477

Group Title

DTBI018-IE11-Publishers Certificate Revocation

Rule Version

DTBI018-IE11

Severity

CAT III

CCI(s)

CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

Fix Recommendation

If the system is on the SIPRNet, this requirement is NA.

Open Internet Explorer.
From the menu bar, select "Tools".
From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab from the "Advanced" tab window, scroll down to the "Security" category, and select the "Check for publisher's certificate revocation" box.

Note: Manual entry in the registry key:

HKCU\Software\Microsoft\Windows\Current Version\WinTrust\Trust Providers\Software Publishing for the value "State", set to "REG_DWORD = 23C00", may first be required.

Check Contents

If the system is on the SIPRNet, this requirement is NA.

Open Internet Explorer.
From the menu bar, select "Tools".
From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window, scroll down to the "Security" category, and verify the "Check for publisher's certificate revocation" box is selected.

Procedure: Use the Windows Registry Editor to navigate to the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria

If the value "State" is "REG_DWORD = 23C00", this is not a finding.

Vulnerability Number

V-46477

Documentable

False

Rule Version

DTBI018-IE11

Severity Override Guidance

If the system is on the SIPRNet, this requirement is NA.

Open Internet Explorer.
From the menu bar, select "Tools".
From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window, scroll down to the "Security" category, and verify the "Check for publisher's certificate revocation" box is selected.

Procedure: Use the Windows Registry Editor to navigate to the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria

If the value "State" is "REG_DWORD = 23C00", this is not a finding.

Check Content Reference

Target Key

2589

Check for publishers certificate revocation must be enforced.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments