UCF STIG Viewer Logo

A private web site must utilize certificates from a trusted DoD CA.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13620 WG355 IIS6 SV-14206r1_rule IATS-1 IATS-2 Medium
Description
The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.
STIG Date
IIS6 Site 2014-12-10

Details

Check Text ( C-37455r1_chk )
1. Open the IIS Manager > Right click on the site being reviewed > Select Properties > Select the Directory Security tab.
2. Under Secure communications > Select Edit > if the Enable certificate trust list is checked, Select Edit.
3. When prompted by the certificate trust list wizard select Next.

If there are trusted CAs in this list that are not DoD, this is a finding.

NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function.
NOTE: The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs.
Fix Text (F-32701r1_fix)
Configure the certificate trust list to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).