| V-13621 | High | All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally... |
| V-13591 | High | Classified web servers will be afforded physical security commensurate with the classification of its content. | When data of a classified nature is migrated to a web server, fundamental principles applicable to the safeguarding of classified material must be followed. A classified web server needs to be... |
| V-6537 | High | Anonymous access accounts must be restricted. | Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect... |
| V-2247 | High | Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-2246 | High | The web server must use a vendor-supported version of the web server software. | Several vulnerabilities are associated with older versions of web server software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. ... |
| V-6754 | Medium | The use of Internet Printing Protocol (IPP) must be disabled on the IIS web server. | The use of Internet Printing Protocol (IPP) on an IIS web server allows client’s access to shared printers. This privileged access could allow remote code execution by increasing the web servers... |
| V-2234 | Medium | Public web server resources must not be shared with private assets. | It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives or other resources are directly... |
| V-2235 | Medium | The service account ID used to run the website must have its password changed at least annually. | Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. If the web service account requires a password, the password must... |
| V-2236 | Medium | Installation of compilers on production web servers is prohibited. | The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. |
| V-13700 | Medium | The File System Object component must be disabled. | Some Component Object Model (COM) components are not required for most applications and should be removed if possible. Most notably, consider disabling the File System Object component; however,... |
| V-2259 | Medium | Web server system files must conform to minimum file permission requirements. | This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web... |
| V-6577 | Medium | A web server must not be co-hosted with other services. | A detailed web server installation and configuration plan should be followed to provide standardization during the installation process. The installation and configuration plan should not support... |
| V-2271 | Medium | Monitoring software must include CGI type files or equivalent programs. | By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the... |
| V-2261 | Medium | A web server must limit e-mail to outbound only. | Incoming e-mails have been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, e-mail is a specialized application... |
| V-13672 | Medium | The private web server must use an approved DoD certificate validation process. | The Certificate Revocation List (CRL) is used for a number of reasons, for example, when an employee leaves, certificates expire, or if certificate keys become compromised and are reissued.... |
| V-25999 | Medium | Unspecified file extensions must not be allowed to execute on the production web server. | By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI... |
| V-2248 | Medium | Access to web administration tools must be restricted to the web manager and the web managers designees. | The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to... |
| V-2243 | Medium | A private web server must be located on a separate controlled access subnet. | Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats, which can cause a disruption in service of the web... |
| V-2242 | Medium | A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. | To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from... |
| V-2257 | Low | Administrative users and groups with access privilege to the web server must be documented. | There are typically several individuals and groups involved in running a production web-site. In most cases, several types of users on a web server can be identified, such as, SA's, Web Managers,... |
| V-2251 | Low | Programs and features not necessary for operations must be removed. | Just as running unneeded services and protocols increase the attack surface of the web server, running unneeded utilities and programs is also an added risk to the web server. |
| V-2265 | Low | Java software installed on the production web server must be limited to .class files and the Java Virtual Machine. | Source code for a Java program is, many times, stored in files with either .java or .jpp file extensions. From the .java and .jpp files the Java compiler produces a binary file with an extension... |
| V-26006 | Low | A global authorization rule to restrict access must exist on the web server. | Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access... |
| V-25994 | Low | Directory Browsing must be disabled on the production web server. | Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page... |
