A web server will be segregated from other services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6577	WG204	SV-6683r1_rule		Medium

Description
To ensure a secure and functional web server, a detailed installation and configuration plan should be developed and followed. This will eliminate mistakes that arise as a result of ad hoc decisions made during the default installation of a server. Planners should not attempt to support multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, and indexing or streaming media on the same server that is providing the web publishing service. In the case of File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Network News Transport Protocol (NNTP), a well-defined need for these services should be documented by the IAO prior to their installation on the same platform as a web server. Primary and secondary Domain Controllers, in the Windows environment, will not share a common platform with a web server World Wide Web (WWW) service. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, email server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any services or protocols that are not necessary should be removed. A web server may incorporate any number of allowed web services that may be necessary to successfully deliver its mission objectives and as long as those web services are properly configured, secured, and they are not specifically prohibited, then their usage is not prohibited but will be governed by the Enclave, the Application Security and Development, or the Web Services STIG (when developed). These services should be delivered from the application server. A separate platform in the context of this vulnerability refers to physical, logical, or virtual separation of web server and operating system services; however, the separation associated with application, database, or other servers is governed by the DoD Internet-NIPRNet DMZ STIG.

Description

To ensure a secure and functional web server, a detailed installation and configuration plan should be developed and followed. This will eliminate mistakes that arise as a result of ad hoc decisions made during the default installation of a server. Planners should not attempt to support multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, and indexing or streaming media on the same server that is providing the web publishing service. In the case of File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Network News Transport Protocol (NNTP), a well-defined need for these services should be documented by the IAO prior to their installation on the same platform as a web server. Primary and secondary Domain Controllers, in the Windows environment, will not share a common platform with a web server World Wide Web (WWW) service. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, email server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any services or protocols that are not necessary should be removed. A web server may incorporate any number of allowed web services that may be necessary to successfully deliver its mission objectives and as long as those web services are properly configured, secured, and they are not specifically prohibited, then their usage is not prohibited but will be governed by the Enclave, the Application Security and Development, or the Web Services STIG (when developed). These services should be delivered from the application server. A separate platform in the context of this vulnerability refers to physical, logical, or virtual separation of web server and operating system services; however, the separation associated with application, database, or other servers is governed by the DoD Internet-NIPRNet DMZ STIG.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-29993r2_chk )
Request a copy of and review the web server's installation and configuration plan for required services. Ensure the server only has the required services installed as documented in the installation and configuration plan. If the server has any additional services, this is a finding.

Fix Text (F-26852r1_fix)
Remove any services or applications that are not required.