All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13621	WG385 W22	SV-33087r1_rule	ECSC-1	High

Description
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Delete all directories that contain samples and any scripts used to execute the samples. If there is a requirement to maintain these directories at the site on non-production servers for training purposes, have NTFS permissions set to only allow access to authorized users (i.e., web administrators and systems administrators). Sample applications or scripts have not been evaluated and approved for use and may introduce vulnerabilities to the system.

Description

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Delete all directories that contain samples and any scripts used to execute the samples. If there is a requirement to maintain these directories at the site on non-production servers for training purposes, have NTFS permissions set to only allow access to authorized users (i.e., web administrators and systems administrators). Sample applications or scripts have not been evaluated and approved for use and may introduce vulnerabilities to the system.

STIG	Date
APACHE SERVER 2.0 for Windows	2015-05-29

Details

Check Text ( C-33756r1_chk )
Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server. Each web server has its own list of sample files. This may change with the software versions, but the following are some examples of what to look for (This is not a definitive list of sample files, but only an example of the common samples that are provided with the associated web server. This list will be updated as additional information is discovered.): [Drive Letter]:/[directory path]/apache2/manual/. [Drive Letter]:/[directory path]/apache2/conf/extra/. [Drive Letter]:/[directory path]/apache2/cgi-bin/printenv [Drive Letter]:/[directory path]/apache2/cgi-bin/test-cgi If there is a requirement to maintain these directories at the site for training or other such purposes, have permissions or set the permissions to only allow access to authorized users. If any sample files are found on the web server, this is a finding.

Check Text ( C-33756r1_chk )

Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server.

Each web server has its own list of sample files. This may change with the software versions, but the following are some examples of what to look for (This is not a definitive list of sample files, but only an example of the common samples that are provided with the associated web server. This list will be updated as additional information is discovered.):

[Drive Letter]:/[directory path]/apache2/manual/*.*
[Drive Letter]:/[directory path]/apache2/conf/extra/*.*
[Drive Letter]:/[directory path]/apache2/cgi-bin/printenv
[Drive Letter]:/[directory path]/apache2/cgi-bin/test-cgi

If there is a requirement to maintain these directories at the site for training or other such purposes, have permissions or set the permissions to only allow access to authorized users.

If any sample files are found on the web server, this is a finding.

Fix Text (F-29392r1_fix)
Ensure sample code and documentation have been removed from the web server.