STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft IIS 10.0 Site Security Technical Implementation Guide

V-218768

CAT I (High)

The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.

Rule ID

SV-218768r1156529_rule

STIG

Microsoft IIS 10.0 Site Security Technical Implementation Guide

Version

V2R15

CCIs

CCI-002476

Discussion

TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2/140-3 approved TLS version, and all non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.

Check Content

Notes: 
- If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. In this case, this requirement is not applicable.
- If this is a public-facing web server, this requirement is not applicable.
- If this server is hosting WSUS, this requirement is not applicable.
- If the server being reviewed is hosting SharePoint, this is not applicable.
- If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is not applicable.
- If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is not applicable.
- If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable.
- If the server is providing CRL, and not otherwise hosting any content, this requirement is not applicable.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Double-click the "SSL Settings" icon under the "IIS" section.

Verify "Require SSL" is checked.

Verify "Client Certificates Required" is selected.

Click the site under review.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access".

The value for "sslFlags" set must include "ssl128".

If the "Require SSL" is not selected, this is a finding.

If the "Client Certificates Required" is not selected, this is a finding. Note: "Client Certificates Required" can be considered Not Applicable in a Single Sign On (SSO) scenario where client certificates are no longer processed locally.

If the "sslFlags" is not set to "ssl128", this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Double-click the "SSL Settings" icon under the "IIS" section.

Select the "Require SSL" setting.

Select the "Client Certificates Required" setting.

Click "Apply" in the "Actions" pane.

Click the site under review.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access".

Click on the drop-down list for "sslFlags".

Select the "Ssl128" check box.

Click "Apply" in the "Actions" pane.