WG145 IIS6 - The private web server must use an approved DoD certificate validation process. - 'Check W3SVC/WEBSITES CertCheckMode'


Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.


Configure the DoD Private Web Server to conduct certificate revocation checking.

See Also


Item Details

References: CAT|II, Rule-ID|SV-28796r1_rule, STIG-ID|WG145_IIS6, Vuln-ID|V-13672

Plugin: Windows

Control ID: a26671d8f6f3cbfcd89fb19b67e2714408d90a4b7fa5f6be8fdd9305903b74e4