2.6 Ensure transport layer security for 'basic authentication' is configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted, especially in cases where the site is publicly accessible and is recommended that TLS be configured and required for any Site or Application using Basic Authentication.

Rationale:

Credentials sent in clear text can be easily intercepted by malicious code or persons. Enforcing the use of Transport Layer Security will help mitigate the chances of hijacked credentials.

Impact:

Credentials will not be passed across the network in plain text.

Solution

To protect Basic Authentication with transport layer security:

Open IIS Manager

In the Connections pane on the left, select the server to be configured

In the Connections pane, expand the server, then expand Sites and select the site to be configured

In the Actions pane, click Bindings; the Site Bindings dialog appears

If an HTTPS binding is available, click Close and see below 'To require SSL'

If no HTTPS binding is visible, perform the following steps

To add an HTTPS binding:

In the Site Bindings dialog, click Add; the Add Site Binding dialog appears

Under Type, select https

Under SSL certificate, select an X.509 certificate

Click OK, then close

To require SSL:

In Features View, double-click SSL Settings

On the SSL Settings page, select Require SSL.

In the Actions pane, click Apply

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website name>' -filter 'system.webServer/security/access' -name 'sslFlags' -value 'Ssl'

Default Value:

Transport Layer Security is not enabled by default when Basic Authentication is configured.

See Also

https://workbench.cisecurity.org/files/4131