Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Only fully reviewed and tested web sites must exist on a production web server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2254 | WG260 IIS6 | SV-38069r1_rule | ECSC-1 | Medium |
| Description |
|---|
| In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files revealing business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security, which is totally avoidable. |
| STIG | Date |
|---|---|
| IIS6 Site | 2014-12-10 |
Details
| Check Text ( C-37435r1_chk ) |
|---|
| The reviewer should query the IAO, SA, and Web Manager to find out if development web sites are being housed on production web servers. Definition: A production web server is any web server connected to a production network, regardless of its role. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? A manual cehck can be completed by navigating to the web site via a browser and confirm the information provided by the web staff. If development web content is discovered on the production web server, this is a finding. |
| Fix Text (F-32679r1_fix) |
|---|
| Ensure any pages in development are not installed on a production web server. |