| V-2267 | High | Unapproved script mappings in IIS 7 must be removed. | IIS 7 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 7, Request Filtering and Handler... |
| V-13686 | High | Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory. | Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being... |
| V-2258 | High | Access to the web content and script directories must be restricted. | Excessive permission for the anonymous web user account is a common fault contributing to the compromise of a web server. If this account is able to upload and execute files on the web server, the... |
| V-13713 | High | The application pool identity must be defined for each web-site. | The Worker Process Identity is the user defined to run an application pool. The IIS 7 worker processes, by default runs under the NetworkService account. Creating a custom identity for each... |
| V-2249 | High | Web server/site administration must be performed over a secure path. | Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and... |
| V-13694 | Medium | Public web servers must use TLS if authentication is required. | Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required.
Without the use of TLS, the... |
| V-6755 | Medium | Directory Browsing must be disabled. | The Directory Browsing feature can be used to facilitate a directory traversal exploit. Directory browsing must be disabled. |
| V-13620 | Medium | A private web-site must utilize certificates from a trusted DoD CA. | The use of a DoD PKI certificate ensures clients the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy. |
| V-13710 | Medium | An application pool’s pinging monitor must be enabled. | Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled... |
| V-13705 | Medium | The maximum number of requests an application pool can process must be set. | IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped,... |
| V-13704 | Medium | The application pool must have a recycle time set. | Application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. |
| V-13707 | Medium | The amount of private memory an application pool uses must be set. | IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped,... |
| V-13706 | Medium | The amount of virtual memory an application pool uses must be set. | IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped,... |
| V-13703 | Medium | The website must have a unique application pool. | Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site... |
| V-2254 | Medium | Only web sites that have been fully reviewed and tested will exist on a production web server. | In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing... |
| V-2252 | Medium | Only auditors, SAs or web administrators may access web server log files. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and... |
| V-13708 | Medium | The Idle Timeout monitor must be enabled. | The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are... |
| V-2250 | Medium | Web-site logging must be enabled. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide... |
| V-13709 | Medium | The maximum queue length for HTTP.sys must be managed. | In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the... |
| V-26034 | Medium | The production web-site must configure the Global .NET Trust Level. | An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a... |
| V-6531 | Medium | A private web-sites authentication mechanism must use client certificates.
| A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use... |
| V-13688 | Medium | Log files must consist of the required data fields. | Log files are a critical component to the successful management of an IS used within the DoD. By generating log files with useful information web administrators can leverage them in the event of... |
| V-3333 | Medium | The web document (home) directory must be in a separate partition from the web server’s system files. | The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web... |
| V-13689 | Medium | Access to the web-site log files must be restricted. | A major tool in exploring the web-site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and... |
| V-2228 | Medium | All interactive programs must be placed in unique designated folders. | CGI & ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI & ASP program files must be segregated into their own unique folder to simplify the... |
| V-2263 | Medium | A private web server must have a valid server certificate. | This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the... |
| V-26042 | Medium | The production web-site must limit the MaxURL. | Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it... |
| V-26043 | Medium | The production web-site must configure the Maximum Query String limit. | By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter... |
| V-2229 | Medium | All interactive programs must have restrictive access controls. | CGI is a programming standard for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with... |
| V-26041 | Medium | The web-site must limit the number of bytes accepted in a request. | By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of... |
| V-26046 | Medium | The production web-site must filter unlisted file extensions in URL requests. | Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web... |
| V-2262 | Medium | A private web server must utilize an approved TLS version. | Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private... |
| V-26044 | Medium | The web-site must not allow non-ASCII characters in URLs. | By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection... |
| V-2260 | Medium | A web site must not contain a robots.txt file. | Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In... |
| V-26045 | Medium | The web-site must not allow double encoded URL requests. | Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web... |
| V-2226 | Medium | Web content directories must not be anonymously shared. | Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit this access and compromise the web content or cause web... |
| V-13712 | Medium | An application pool’s rapid fail protection settings must be managed. | Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid fail protection must be set to a suitable... |
| V-26026 | Medium | The production web-site must utilize SHA2 encryption for Machine Key. | The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that
ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption... |
| V-13711 | Medium | An application pool’s rapid fail protection must be enabled. | Rapid fail protection is a feature that interrogates the health of worker processes associated with web sites and web applications. It can be configured to perform a number of actions such as... |
| V-2240 | Medium | Web sites must limit the number of simultaneous requests. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web-site, facilitating a Denial of Service attack. Mitigating this kind of attack will include... |
| V-15334 | Low | Web sites must utilize ports, protocols, and services according to PPSM guidelines. | Failure to comply with DoD ports, protocols, and services (PPS) requirements can result
in compromise of enclave boundary protections and/or functionality of the AIS.
The IAM will ensure web... |
| V-26011 | Low | Debug must be turned off on a production website. | Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being display to users. |
| V-26031 | Low | The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients. | HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote... |
| V-2230 | Low | Backup interactive scripts must be removed from the web site. | Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as... |
| V-13702 | Low | The Content Location header must not contain proprietary IP addresses. | When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than... |
| V-3963 | Low | Indexing Services must only index web content. | The indexing service can be used to facilitate a search function for web-sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user.... |
| V-6724 | Low | All web-sites must be assigned a default Host header. | In order to reduce the possibility of DNS rebinding attacks and IP-based scans, all web-sites allowing HTTP/HTTPS over ports 80/443 will be assigned default Host headers. |
| V-6373 | Low | The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI... |
| V-2245 | Low | Each readable web document directory must contain a default, home, index, or equivalent document. | The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html... |
