An IIS 8.5 web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-214436	IISW-SV-000153	SV-214436r508658_rule		High

Description
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.

Description

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.

STIG	Date
Microsoft IIS 8.5 Server Security Technical Implementation Guide	2020-09-25

Details

Check Text ( C-15646r505372_chk )
Access the IIS 8.5 Web Server. Access an administrator command prompt and type "regedit " to access the server's registry. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Verify a REG_DWORD value of "0" for "DisabledByDefault" Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server Verify a REG_DWORD value of "1" for "DisabledByDefault" Verify a REG_DWORD value of "0" for "Enabled" If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding.

Check Text ( C-15646r505372_chk )

Access the IIS 8.5 Web Server.

Access an administrator command prompt and type "regedit " to access the server's registry.

Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

Verify a REG_DWORD value of "0" for "DisabledByDefault"

Navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Verify a REG_DWORD value of "1" for "DisabledByDefault"
Verify a REG_DWORD value of "0" for "Enabled"

If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding.

Fix Text (F-15644r505373_fix)
Access the IIS 8.5 Web Server. Access an administrator command prompt and type "regedit " to access the server's registry. Navigate to the following registry paths and configure the "DisabledByDefault" REG_DWORD with the appropriate values: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server With a REG_DWORD value of "0" for "DisabledByDefault" HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server With a REG_DWORD value of "1" for "DisabledByDefault" With a REG_DWORD value of "0" for "Enabled"

Fix Text (F-15644r505373_fix)

Access the IIS 8.5 Web Server.

Access an administrator command prompt and type "regedit " to access the server's registry.

Navigate to the following registry paths and configure the "DisabledByDefault" REG_DWORD with the appropriate values:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

With a REG_DWORD value of "0" for "DisabledByDefault"

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

With a REG_DWORD value of "1" for "DisabledByDefault"

With a REG_DWORD value of "0" for "Enabled"