Detections
Analytics
IIST-SI-000204 - A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
Information
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.NIST SP 800-52 specifies the preferred configurations for government systems.
Solution
Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable.Follow the procedures below for each site hosted on the IIS 10.0 web server:
Open the IIS 10.0 Manager.
Click the site name.
Double-click the 'SSL Settings' icon.
Select 'Require SSL' check box.
Select 'Apply' from the 'Actions' pane.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y26M01_STIG.zip
Item Details
Audit Name: DISA IIS 10.0 Site v2r14
Category: ACCESS CONTROL
References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-218738r1022673_rule, STIG-ID|IIST-SI-000204, STIG-Legacy|SV-109301, STIG-Legacy|V-100197, Vuln-ID|V-218738
Plugin: Windows
Control ID: d3473e0e9ce6ed637a74f1a233358e3c1c75727119260ef0e2f9e79e6a6332a6