Installation of compilers on production web server is prohibited.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2236 | WG080 | SV-2236r1_rule | Medium |
| Description |
|---|
| The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s code can be uploaded and compiled on the server under attack. Of particular concern is C compilers. |
| STIG | Date |
|---|---|
| IIS 7.0 Server STIG | 2019-03-22 |
Details
| Check Text ( C-29906r1_chk ) |
|---|
| Using Windows Explorer, search the system for the existence of known compilers such as msc.exe, msvc.exe, Python.exe, javac.exe, Lcc-win32.exe, or equivalent. Look in all hard drives. Also, query the SA and the Web Manager to determine if a compiler is present on the server. NOTE: This check does not prohibit the use of the .Net Framework or the Java compiler for Oracle. NOTE: ColdFusion would not be considered a compiler as long as the site is not using the tool for development work. Any compilers required to be present on the systems need to be restricted to administrative users only. |
| Fix Text (F-26803r4_fix) |
|---|
| Remove any compiler found on the production web server, but if the compiler program is needed to patch or upgrade an application suite in a production environment or the compiler is embedded and will break the suite if removed, document the compiler installation with the ISSO/ISSM and ensure that the compiler is restricted to only administrative users. |