UCF STIG Viewer Logo

The application server must adhere to the principles of least functionality by providing only essential capabilities.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35234 SRG-APP-000141-AS-000095 SV-46521r1_rule Medium
Description
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.
STIG Date
Application Server Security Requirements Guide 2013-01-08

Details

Check Text ( C-43604r1_chk )
Review the AS documentation and configuration to determine if the AS can disable unauthorized features and capabilities. If the AS is not configured to meet this requirement, this is a finding.
Fix Text (F-39781r1_fix)
Configure the AS to use only authorized features and capabilities.