UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network element must have HTTP service for administrative access disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3085 NET0740 SV-41468r2_rule Medium
Description
The additional services the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an attacker to gain access to the router. Most recent software versions support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since the router will listen for these services. The HTTPS server may be enabled for administrative access.
STIG Date
Perimeter Router Security Technical Implementation Guide Juniper 2018-11-28

Details

Check Text ( C-39968r2_chk )
Under the edit system services hierarchy enter a show command to verify the web-management http command is not present (the web-management https command may be enabled for administrative access). If you are reviewing an entire configuration, verify the web-management http command is not present as shown in the example below:

system {
services {
web-management {
http {
interface ge-0/0/0.0;
}
}
}
}

If the HTTP server is enabled, this is a finding.
Fix Text (F-3110r4_fix)
Configure the device to disable using HTTP (port 80) for administrative access.