The IIS 8.5 web server must perform RFC 5280-compliant certification path validation.

From IIS 8.5 Server Security Technical Implementation Guide

Part of SRG-APP-000175-WSR-000095

Associated with: CCI-000185

SV-91411r1_rule The IIS 8.5 web server must perform RFC 5280-compliant certification path validation.

Vulnerability discussion

This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the website to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.

Check content

Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Double-click the "Server Certificate" icon. Double-click each certificate and verify the certificate path is to a DoD root CA. If not, this is a finding.

Fix text

Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Double-click the "Server Certificate" icon. Import a valid DoD certificate and remove any non-DoD certificates.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer