| V-13699 | High | The IIS web site permissions "Write" or "Script Source" must not be selected. | Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the... |
| V-13698 | High | The IISADMPWD directory has not been removed from the Web server. | The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords is a far less secure solution for controlling user access to... |
| V-13591 | High | Classified web servers will be afforded physical security commensurate with the classification of its content. | When data of a classified nature is migrated to a web server, fundamental principles applicable to the safeguarding of classified material must be followed. A classified web server needs to be... |
| V-2258 | High | The web client account access to the content and scripts directories will be limited to read and execute. | Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the... |
| V-13686 | High | Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory. | Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being... |
| V-2249 | High | Web server administration will be performed over a secure path or at the console. | Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A... |
| V-2247 | High | Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-2246 | High | The web server must use a vendor-supported version of the web server software. | Many vulnerabilities are associated with old versions of web server software. As hot fixes and patches are issued, these solutions are included in the next version of the server software.... |
| V-13733 | High | The ”IncludesNOEXEC” directive is not enabled on any directory that maintains Server Side Includes. | Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The "IncludesNOEXEC" option allows Server-side includes, but the... |
| V-6537 | High | Anonymous access accounts are restricted. | Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect... |
| V-2267 | High | Unused and vulnerable script mappings in IIS are not removed or set to the 404.dll. | IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to... |
| V-13621 | High | All web server documentation, sample code, example applications, and tutorials will be removed from a production web server. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally... |
| V-13701 | High | The command shell options are not disabled. | The command shell can be used to call arbitrary commands at the Web server from within an HTML page. |
| V-13713 | High | A unique non-privileged account must be used to run Worker Process Identities. | The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each... |
| V-13694 | Medium | Public web servers will use TLS if authentication is required. | TLS encryption is optional for a public web server. However, if authentication and encryption are used, then the use of TLS is required. Transactions encrypted with DoD PKI certificates are... |
| V-6755 | Medium | Directory Browsing is not disabled. | This ensures that your directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web... |
| V-6754 | Medium | The IIS Internet Printing Protocol is not disabled. | Cited by SANS as one of the five most widely exploited holes in unpatched versions of IIS in 2001, Windows 2000 and 2003 include support for the Internet Printing Protocol (IPP) via an ISAPI... |
| V-26279 | Medium | Error logging must be enabled. | The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or... |
| V-2259 | Medium | Web server system files will conform to minimum file permission requirements. | This check verifies that the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web... |
| V-2256 | Medium | The access control files are owned by a privileged web server account. | This check verifies that the key web server system configuration files are owned by the SA or by the web administrator controlled account. These same files which control the configuration of the... |
| V-2254 | Medium | Only web sites that have been fully reviewed and tested will exist on a production web server. | In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing... |
| V-2255 | Medium | The web server’s htpasswd files (if present) will reflect proper ownership and permissions | In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a... |
| V-2252 | Medium | Users other than from the Auditors group have greater than read access to log files. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and... |
| V-2250 | Medium | Logs of web server access and errors will be established and maintained | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide... |
| V-13687 | Medium | Remote authors or content providers must have all files scanned for malware before uploading files to the Document Root directory. | Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a... |
| V-13723 | Medium | The MaxRequestEntityAllowed metabase value must be defined. | IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and... |
| V-13722 | Medium | The UrlSegmentMaxCount registry entry must be set properly. | Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxCount value determines the maximum number of URL path... |
| V-13721 | Medium | The UriMaxUriBytes registry entry must be set properly. | Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UriMaxUriBytes key is used to set size limits on what is cached in... |
| V-13720 | Medium | The PercentUAllowed registry entry must be set properly. | Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The PercentUAllowed key allows the web server to accept Unicode character... |
| V-13688 | Medium | Log file data must contain required data elements. | The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment,... |
| V-13689 | Medium | Access to the web server log files will be restricted to administrators, web administrators, and auditors. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and... |
| V-13725 | Medium | The httpd.conf KeepAlive directive is not enabled. | These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to... |
| V-13724 | Medium | The httpd.conf Timeout directive is not set properly. | These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to... |
| V-2248 | Medium | Access to web administration tools is restricted to the web manager and the web manager’s designees. | The key web service administrative and configuration tools must only be accessible by the web server staff. As these services control the functioning of the web server, access to these tools is... |
| V-13619 | Medium | The web server, although started by superuser or privileged account, is not run using a non- privileged account. | Running the web server with excessive privileges presents an increased risk to the web server. In the event the web server’s services are compromised, the context by which the web server is... |
| V-13613 | Medium | The site software used with the web server does not have all applicable security patches applied and documented. | The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services... |
| V-2240 | Medium | The number of allowed simultaneous requests will be limited for web sites. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include... |
| V-2243 | Medium | A private web server will be located on a separate controlled access subnet. | Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but,... |
| V-2242 | Medium | A public web server will be physically and logically isolated in accordance with the DoD Internet-NIPRNet DMZ STIG and the DoD Enclave STIG. | To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers also refer to web servers that may be located... |
| V-13738 | Medium | The httpd.conf LimitRequestFieldsize directive is set to unlimited. | Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite... |
| V-13739 | Medium | The httpd.conf LimitRequestline directive is set to unlimited. | Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite... |
| V-13730 | Medium | The httpd.conf MaxClients directive is not set properly. | These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to... |
| V-13731 | Medium | The CGI-Bin directory or the directory that maintains CGI scripts is not the only directory to have the ExecCGI directive applied. . | Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The Options directive controls which server features are available... |
| V-13732 | Medium | The” –FollowSymLinks” directive is not used on all data directories. | Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The server will follow symbolic links in this directory if the... |
| V-13734 | Medium | The MultiViews directive is used. | Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories.
From Apache.org: MultiViews is a per-directory option, meaning it... |
| V-13735 | Medium | The” -Indexes” directive is not used on all data directories not containing a default index page unless the mod_autoindex module is disabled. | Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. If a URL which maps to a directory is requested, and there is no... |
| V-13736 | Medium | The httpd.conf LimitRequestBody directive is set to unlimited. | Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite... |
| V-13737 | Medium | The httpd.conf LimitRequestFields directive is set to unlimited. | Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite... |
| V-13710 | Medium | An application pool’s pinging monitor must be enabled. | Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled... |
| V-26294 | Medium | Web server status module must be disabled. | The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module provides current server performance statistics.... |
| V-2270 | Medium | Anonymous FTP user access to interactive scripts is prohibited. | The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web... |
| V-2271 | Medium | Monitoring software will include CGI or equivalent programs in the set of files which it checks. | By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the... |
| V-2272 | Medium | PERL scripts must use the TAINT option. | PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on... |
| V-91207 | Medium | Public web server resources must not be shared with private assets. | It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives, or other resources are directly... |
| V-26299 | Medium | The web server must not be configured as a proxy server. | The Apache proxy modules allow the server to act as a proxy (either forward or reverse proxy) of http and other protocols with additional proxy modules loaded. If the Apache installation is not... |
| V-6531 | Medium | A web server that utilizes PKI as an authentication mechanism must utilize subscriber certificates issued from a DoD-authorized Certificate Authority. | A DoD private web server, existing within and available across the NIPRNet, must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring... |
| V-26043 | Medium | The production web-site must configure the Maximum Query String limit. | By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter... |
| V-2264 | Medium | Wscript.exe and Cscript.exe are accessible by users other than the SA and the web administrator. | Windows Scripting Host (WSH) is installed under either a Typical or Custom installation option of a Microsoft Network Server. This technology permits the execution of powerful script files from... |
| V-2263 | Medium | A private web server will have a valid DoD server certificate. | This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity... |
| V-2262 | Medium | A private web server will utilize TLS v 1.0 or greater. | Transport Layer Security (TLS) encryption is a required security setting for a private
web server. This check precludes the possibility that a valid certificate has been obtained, but TLS has not... |
| V-2261 | Medium | A public web server will limit e-mail to outbound only. | Incoming e-mails have been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, e-mail is a specialized application... |
| V-2268 | Medium | The IUSR_machinename account has read access to the .inc files or their equivalent. | Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be... |
| V-26285 | Medium | Active software modules must be minimized. | Modules are the source of Apache httpd servers core and dynamic capabilities. Thus not every module available is needed for operation. Most installations only need a small subset of the modules... |
| V-26287 | Medium | Web Distributed Authoring and Versioning (WebDAV) must be disabled. | The Apache mod_dav and mod_dav_fs modules support WebDAV ('Web-based Distributed Authoring and Versioning') functionality for Apache. WebDAV is an extension to the HTTP protocol which allows... |
| V-26280 | Medium | The sites error logs must log the correct format. | The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or... |
| V-26281 | Medium | System logging must be enabled. | The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or... |
| V-26282 | Medium | The LogLevel directive must be enabled. | The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or... |
| V-26323 | Medium | The web server must be configured to explicitly deny access to the OS root. | The Apache Directory directive allows for directory specific configuration of access controls and many other features and options. One important usage is to create a default deny policy that does... |
| V-26322 | Medium | The ScoreBoard file must be properly secured. | The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the... |
| V-60709 | Medium | The web server must remove all export ciphers from the cipher suite. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply... |
| V-26327 | Medium | The URL-path name must be set to the file path name or the directory path name. | The ScriptAlias directive controls which directories the Apache server "sees" as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, the... |
| V-26326 | Medium | The web server must be configured to listen on a specific IP address and port. | The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the... |
| V-26325 | Medium | The TRACE method must be disabled. | Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details http://httpd.apache.org/docs/2.2/mod/core.html#traceenable. The... |
| V-26324 | Medium | Web server options for the OS root must be disabled. | The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation. The Options... |
| V-13620 | Medium | A private web server’s list of CAs in a trust hierarchy will lead to the DoD PKI Root CA, to a DoD-approved external certificate authority (ECA), or to a DoD-approved external partner. | A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of... |
| V-13705 | Medium | The maximum number of requests an application pool can process must be set. | A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13704 | Medium | The Recycle Worker processes in minutes monitor must be set properly. | A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13707 | Medium | The maximum used memory monitor must be enabled. | A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13706 | Medium | The maximum virtual memory monitor must be enabled. | A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When... |
| V-13700 | Medium | The File System Object component, is not required and is not disabled. | Some COM components are not required for most applications and should be removed if possible. Most notably, consider disabling the File System Object component; however, this will also remove the... |
| V-13703 | Medium | The website must have a unique application pool. | Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site... |
| V-13709 | Medium | The maximum queue length for HTTP.sys must be managed. | In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the... |
| V-13708 | Medium | The Idle Timeout monitor must be enabled. | The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are... |
| V-26042 | Medium | The production web-site must limit the MaxURL. | Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it... |
| V-26034 | Medium | The production web-site must configure the Global .NET Trust Level. | An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a... |
| V-3333 | Medium | The web document (home) directory will be in a separate partition from the web server’s system files. | Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is... |
| V-3330 | Medium | URLScan is not being used on the web server | URL parameter manipulation is an increasingly effective means for malicious users to compromise a web-based service. URLScan is a tool that IIS administrators (Web Managers) may use to help... |
| V-26041 | Medium | The web-site must limit the number of bytes accepted in a request. | By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of... |
| V-26046 | Medium | The production web-site must filter unlisted file extensions in URL requests. | Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web... |
| V-26305 | Medium | The process ID (PID) file must be properly secured. | The PidFile directive sets the path to the process ID file to which the server records the process ID of the server, which is useful for sending a signal to the server process or for checking on... |
| V-26044 | Medium | The web-site must not allow non-ASCII characters in URLs. | By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection... |
| V-26302 | Medium | User specific directories must not be globally enabled. | The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also sets the path name of the... |
| V-26045 | Medium | The web-site must not allow double encoded URL requests. | Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web... |
| V-13712 | Medium | An application pool’s rapid fail protection settings must be managed. | Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid fail protection must be set to a suitable... |
| V-26026 | Medium | The production website must utilize SHA1 encryption for Machine Key. | The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that
ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption... |
| V-13711 | Medium | An application pool’s rapid fail protection must be enabled. | Rapid fail protection is a feature that interrogates the health of worker processes associated with web sites and web applications. It can be configured to perform a number of actions such as... |
| V-13716 | Medium | The FavorUTF8 registry key must be set properly. | Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any... |
| V-13717 | Medium | The MaxFieldLength registry entry must be set properly. | By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size of any individual HTTP client request. Typically, this registry entry is configured... |
| V-13714 | Medium | The AllowRestrictedChars registry key must be disabled. | IIS6 Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. If the AllowRestrictedChars key is set to a nonzero value, Http.sys... |
| V-13715 | Medium | The EnableNonUTF8 registry key must be disabled. | Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The EnableNonUTF8 registry key expands the amount of character types the... |
| V-13718 | Medium | The MaxRequestBytes registry entry must be set properly. | Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The MaxRequestBytes registry key determines the upper limit for the total... |
| V-13719 | Medium | The UrlSegmentMaxLength registry entry must be set properly. | Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxLength key sets the maximum number of characters in a... |
| V-13728 | Medium | The httpd.conf MinSpareServers directive is not set properly. | These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to... |
| V-26393 | Medium | The ability to override the access configuration for the OS root directory must be disabled. | The Apache OverRide directive allows for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access... |
| V-26396 | Medium | HTTP request methods must be limited. | The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For example, methods such as PUT and DELETE are rarely used and should be disabled in... |
| V-2234 | Medium | A public web server’s resources (e.g., drives, folders, printers, etc.) will not be shared with private assets. | It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives or other resources are directly... |
| V-2235 | Medium | The service account ID used to run the web site will have its password changed at least annually.
| Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. The passwords on such accounts must be changed at least annually. It... |
| V-2236 | Medium | Installation of compilers on production web server is prohibited. | The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s... |
| V-2232 | Medium | The web server service password(s) must be entrusted to the SA or Web Manager. | Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The... |
| V-6577 | Medium | A web server will be segregated from other services. | To ensure a secure and functional web server, a detailed installation and configuration plan should be developed and followed. This will eliminate mistakes that arise as a result of ad hoc... |
| V-13727 | Medium | The httpd.conf StartServers directive is not set properly. | These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to... |
| V-13726 | Medium | The httpd.conf KeepAliveTimeout directive is set to unlimited. | These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to... |
| V-2229 | Medium | Interactive scripts used on a web server will have proper access controls. | CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with... |
| V-2228 | Medium | The CGI script directory has improper access controls. | CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access... |
| V-2226 | Medium | Web content directories anonymously shared via a network share. | Such sharing is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories.
Network sharable... |
| V-13672 | Medium | The private web server will use an approved DoD certificate validation process. | Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to... |
| V-25999 | Medium | Unspecified file extensions must not be allowed to execute on the production web server. | By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI... |
| V-26368 | Medium | Automatic directory indexing must be disabled. | To identify the type of web servers and versions software installed it is common for attackers to scan for icons or special content specific to the server type and version. A simple request like... |
| V-15334 | Low | Web sites will utilize ports, protocols, and services according to PPSM guidelines. | Failure to comply with DoD ports, protocols, and services (PPS) requirements can result
in compromise of enclave boundary protections and/or functionality of the AIS.
The IAM will ensure web... |
| V-2257 | Low | Administrative users and groups that have access rights to the web server are documented. | There are typically several individuals and groups that are involved in running a production web site. In most cases, we can identify several types of users on a web server. These are the System... |
| V-2251 | Low | All utility programs, not necessary for operations, will be removed or disabled. | Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application... |
| V-6724 | Low | Web server and/or operating system information will be protected.
| The web server response header of an HTTP response can contain several fields of information including the requested HTML page. The information included in this response can be web server type and... |
| V-2245 | Low | Each readable web document directory will contain either default, home, index, or equivalent file. | The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |
| V-3963 | Low | Content Index Service indexes directories, other than web document directories. | Enabling indexing also facilitates directory traversal exploits. To reveal such information to a malicious user is potentially harmful. Such information and the contents of files listed are... |
| V-2265 | Low | Java software installed on the production web server will be limited to class files and the JAVA virtual machine. | From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information... |
| V-2260 | Low | A private web server will not respond to requests from public search engines. | Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web site content. In... |
| V-13702 | Low | The Content Location header contains proprietary IP addresses. | When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather... |
| V-26031 | Low | The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients. | HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote... |
| V-13729 | Low | The httpd.conf MaxSpareServers directive is not set properly. | These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to... |
| V-6485 | Low | Web server content and configuration files are not part of a routine backup program in order to recover from file damage and system failure.
| Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to... |
| V-2230 | Low | Backup interactive scripts on the production web server are prohibited. | Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as... |
| V-26011 | Low | Debug must be turned off on a production website. | Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being display to users. |
| V-6373 | Low | The required DoD banner page will be displayed to authenticated users accessing a DoD private web site. | A consent banner will be in place to make prospective entrants aware that the web site they are about to enter is a DoD web site and their activity is subject to monitoring. |
| V-26006 | Low | A global authorization rule to restrict access must exist on the web server. | Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access... |
| V-25994 | Low | Directory Browsing must be disabled on the production web server. | Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page... |
