UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A public web server must be isolated in the enclave.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2242 WA060 W22 SV-33012r1_rule EBPW-1 ECIC-1 Medium
Description
To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Once compromised, a public web server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DMZ environment with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources.
STIG Date
APACHE SERVER 2.2 for Windows 2011-12-12

Details

Check Text ( C-33694r1_chk )
Interview the SA, or web administrator to see where the public web server is logically located on the site’s LAN. Review the site’s network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site’s network diagram. A public web server must be located in a DMZ as a subnet isolated from internal LANs. An improperly located public web server is a potential threat to the entire network. If the web server is not isolated in accordance with the DoD Enclave and Internet-NIPRNet DMZ STIGs, this is a finding.
Fix Text (F-29314r1_fix)
Relocate the public web servers to be isolated from internal systems. In addition, ensure the public web servers do not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) or isolated separate public enclave (subnet).