|Finding ID||Version||Rule ID||IA Controls||Severity|
|V-13620||WG355 IIS6||SV-14206r1_rule||IATS-1 IATS-2||Medium|
|The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.|
|Check Text ( C-37455r1_chk )|
| 1. Open the IIS Manager > Right click on the site being reviewed > Select Properties > Select the Directory Security tab. |
2. Under Secure communications > Select Edit > if the Enable certificate trust list is checked, Select Edit.
3. When prompted by the certificate trust list wizard select Next.
If there are trusted CAs in this list that are not DoD, this is a finding.
NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function.
NOTE: The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs.
|Fix Text (F-32701r1_fix)|
|Configure the certificate trust list to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).|