2.6 Ensure transport layer security for 'basic authentication' is configured


Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL, especially in cases where the site is publicly accessible and is recommended that SSL be configured and required for any Site or Application using Basic Authentication.

Credentials sent in clear text can be easily intercepted by malicious code or persons. Enforcing the use of Secure Sockets Layer will help mitigate the chances of hijacked credentials.


To protect Basic Authentication with transport layer security:

1. Open IIS Manager
2. In the Connections pane on the left, select the server to be configured
3. In the Connections pane, expand the server, then expand Sites and select the site to be configured
4. In the Actions pane, click Bindings; the Site Bindings dialog appears
5. If an HTTPS binding is available, click Close and see below 'To require SSL'
6. If no HTTPS binding is visible, perform the following steps

To add an HTTPS binding:
1. In the Site Bindings dialog, click Add; the Add Site Binding dialog appears
2. Under Type, select https
3. Under SSL certificate, select an X.509 certificate
4. Click OK, then close

To require SSL:
1. In Features View, double-click SSL Settings
2. On the SSL Settings page, select Require SSL.
3. On Windows 2008, also check Require 128-bit SSL.
4. In the Actions pane, click Apply

See Also


Item Details


References: 800-53|IA-5(1)(c), CSCv6|16.13, CSCv6|16.14

Plugin: Windows

Control ID: 96ecaf3ed7880a8131eb396d33033f858d3948cf91db89fc682403eb41ed33b1