UCF STIG Viewer Logo

The private web server must use an approved DoD certificate validation process.


Finding ID Version Rule ID IA Controls Severity
V-13672 WG145 IIS6 SV-28796r1_rule IATS-1 IATS-2 Medium
Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.
IIS6 Site 2015-06-01


Check Text ( C-37412r1_chk )
1. Select Start > Select Run > Enter the path to the Metabase.xml file (default is %systemroot\system32\inetsrv\Metabase.xml)
2. Select Cntrl+F > Enter CertCheckMode.
3. Ensure ServerComment property, a few lines after the CertCheckMode property, contains the name of the web site being reviewed.
3. Verify this property is set to 0.

If the value of this property is not set to 0, this is a finding.

NOTE: The value for this parameter defaults to 0, which means the CRL checking is enabled. So, if the web site being reviewed is missing this parameter, this would not be a finding.
NOTE: If the property exists in both the server location, LM/W3SVC/CertCheckMode, and at the site level, W3SVC/(site name)/CertCheckMode, the value at the site will override the value at the server level. So, in this case, if the server is set to 0, and the site is set to 1, it would be a finding for the site being reviewed.
Fix Text (F-32648r1_fix)
Configure the DoD Private Web Server to conduct certificate revocation checking.