| V-13699 | High | The IIS web site permissions "Write" or "Script Source" must not be selected. | Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the... |
| V-13713 | High | A unique non-privileged account must be used to run Worker Process Identities. | The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each... |
| V-13686 | High | Web Administrators must secure encrypted connections for Document Root directory uploads. | Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being... |
| V-2258 | High | The web client account access to the content and scripts directories must be limited to read and execute. | Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the... |
| V-2267 | High | Unused and vulnerable script mappings in IIS 6 must be removed. | IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to... |
| V-6755 | Medium | Directory browsing must be disabled. | This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user,... |
| V-2268 | Medium | The IUSR_machinename account must not have read access to the .inc files or their equivalent. | Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be... |
| V-13620 | Medium | A private web site must utilize certificates from a trusted DoD CA. | The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy. |
| V-13705 | Medium | The maximum number of requests an application pool can process must be set. | A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13704 | Medium | The Recycle Worker processes in minutes monitor must be set properly. | A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13707 | Medium | The maximum used memory monitor must be enabled. | A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13706 | Medium | The maximum virtual memory monitor must be enabled. | A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13703 | Medium | The web site must have a unique application pool. | Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site... |
| V-2270 | Medium | Anonymous FTP users must not have access to interactive scripts. | The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories containing scripts that can dynamically produce web... |
| V-2272 | Medium | PERL scripts must use the TAINT option. | PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on... |
| V-2252 | Medium | Users other than Auditors group must not have greater than read access to log files. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and... |
| V-13708 | Medium | The Shutdown worker processes Idle Timeout monitor must be enabled. | A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-2250 | Medium | Logs of web server access and errors must be established and maintained. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide... |
| V-13723 | Medium | The MaxRequestEntityAllowed metabase value must be defined. | IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and... |
| V-6531 | Medium | A private web sites authentication mechanism must use client certificates. | A DoD private web site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use... |
| V-13688 | Medium | Log file data must contain required data elements. | The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment,... |
| V-13689 | Medium | Access to the web site log files must be restricted. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and... |
| V-3333 | Medium | The web document (home) directory must be on a separate partition from the web servers system files. | Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is... |
| V-2254 | Medium | Only fully reviewed and tested web sites must exist on a production web server. | In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing... |
| V-2263 | Medium | A private web server must have a valid server certificate. | This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the... |
| V-2262 | Medium | A private web server must utilize an approved TLS version. | Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private... |
| V-2260 | Medium | A web site must not contain a robots.txt file. | Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In... |
| V-13709 | Medium | The Limit the kernel request queue monitor must be enabled | A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-2226 | Medium | Web content directories must not be anonymously shared. | Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit the access and compromise the web content or cause web... |
| V-13672 | Medium | The private web server must use an approved DoD certificate validation process. | Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This... |
| V-13712 | Medium | The Enable rapid-fail time period monitor must be enabled. | A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-2229 | Medium | Interactive scripts must have proper access controls. | CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with... |
| V-13710 | Medium | The Enable pinging monitor must be enabled. | A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13711 | Medium | The Enable rapid-fail protection monitor must be enabled. | A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-2245 | Medium | Each readable web document directory must contain a default, home, index or equivalent file. | The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html... |
| V-2240 | Medium | Web sites must limit the number of simultaneous requests. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, which can facilitate a Denial of Service attack. Mitigating this kind of attack will... |
| V-2230 | Low | Backup interactive scripts must be removed from the web site. | Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as... |
| V-13702 | Low | The Content Location header must not contain proprietary IP addresses. | When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather... |
| V-2265 | Low | Java software installed on the web server must be limited to class files and the JAVA virtual machine. | From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information... |
| V-6373 | Low | The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI... |
| V-3963 | Low | Indexing Services must only index web content. | The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user.... |
