| V-90181 | High | tc Server VCAC must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-90115 | High | tc Server ALL must be configured to the correct user authentication source. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-90179 | High | tc Server HORIZON must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-90009 | High | tc Server ALL must exclude documentation, sample code, example applications, and tutorials. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production... |
| V-90049 | High | tc Server VCO accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-90047 | High | tc Server HORIZON accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-90051 | High | tc Server VCAC accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-90055 | High | tc Server VCO web server application directories must not be accessible to anonymous user. | In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes... |
| V-90057 | High | tc Server VCAC web server application directories must not be accessible to anonymous user. | In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes... |
| V-90053 | High | tc Server HORIZON web server application directories must not be accessible to anonymous user. | In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes... |
| V-89917 | Medium | tc Server ALL must generate log records for system startup and shutdown. | Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts... |
| V-90069 | Medium | tc Server VCO document directory must be in a separate partition from the web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To... |
| V-89915 | Medium | tc Server VCAC must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of... |
| V-89913 | Medium | tc Server VCO must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of... |
| V-90187 | Medium | tc Server HORIZON must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-89911 | Medium | tc Server HORIZON must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of... |
| V-90183 | Medium | tc Server HORIZON must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with... |
| V-90061 | Medium | tc Server HORIZON must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly... |
| V-90063 | Medium | tc Server VCO must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly... |
| V-90189 | Medium | tc Server VCAC must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-90065 | Medium | tc Server VCAC must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly... |
| V-89887 | Medium | tc Server HORIZON must limit the amount of time that each TCP connection is kept alive. | Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests.... |
| V-89919 | Medium | tc Server HORIZON must generate log records for user access and authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-90185 | Medium | tc Server VCAC must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with... |
| V-89963 | Medium | tc Server HORIZON must produce log records that contain sufficient information to establish the outcome (success or failure) of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-89961 | Medium | tc Server VCAC must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | tc Server VCAC logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-90119 | Medium | tc Server VCAC must be configured to use the https scheme. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-89967 | Medium | tc Server VCAC must produce log records that contain sufficient information to establish the outcome (success or failure) of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-89965 | Medium | tc Server VCO must produce log records that contain sufficient information to establish the outcome (success or failure) of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90117 | Medium | tc Server HORIZON must be configured to use the https scheme. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-89969 | Medium | tc Server HORIZON must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90111 | Medium | tc Server VCO must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By... |
| V-90113 | Medium | tc Server VCAC must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By... |
| V-89989 | Medium | tc Server HORIZON log files must be protected from unauthorized deletion. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-89905 | Medium | tc Server HORIZON must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. | Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can... |
| V-89907 | Medium | tc Server VCAC must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. | Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can... |
| V-89901 | Medium | tc Server VCO must perform server-side session management. | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server... |
| V-89903 | Medium | tc Server VCAC must perform server-side session management. | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server... |
| V-90177 | Medium | tc Server VCAC must set the secure flag for cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the... |
| V-89957 | Medium | tc Server HORIZON must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining... |
| V-90175 | Medium | tc Server VCO must set the secure flag for cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the... |
| V-90173 | Medium | tc Server HORIZON must set the secure flag for cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the... |
| V-89909 | Medium | tc Server HORIZON must use cryptography to protect the integrity of remote sessions. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-90171 | Medium | tc Server VCAC must set the useHttpOnly parameter. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers... |
| V-90067 | Medium | tc Server HORIZON document directory must be in a separate partition from the web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To... |
| V-90109 | Medium | tc Server HORIZON must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By... |
| V-89999 | Medium | tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server. | In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on... |
| V-89997 | Medium | tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server. | Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the... |
| V-90103 | Medium | tc Server HORIZON must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-89995 | Medium | tc Server ALL log data and records must be backed up onto a different system or media. | Protection of tc Server ALL log data includes assuring log data is not accidentally lost or deleted. Backing up tc Server ALL log records to an unrelated system or onto separate media than the... |
| V-90079 | Medium | tc Server HORIZON must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-89993 | Medium | tc Server VCAC log files must be protected from unauthorized deletion. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-90107 | Medium | tc Server VCAC must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-89991 | Medium | tc Server VCO log files must be protected from unauthorized deletion. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-90105 | Medium | tc Server VCO must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-89931 | Medium | tc Server VCAC must capture, record, and log all content related to a user session. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server VCAC must create a log entry when users access the system, and the system... |
| V-89933 | Medium | tc Server HORIZON must produce log records containing sufficient information to establish what type of events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a... |
| V-89935 | Medium | tc Server VCO must produce log records containing sufficient information to establish what type of events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a... |
| V-90169 | Medium | tc Server VCO must set the useHttpOnly parameter. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers... |
| V-89937 | Medium | tc Server VCAC must produce log records containing sufficient information to establish what type of events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a... |
| V-89939 | Medium | tc Server HORIZON must produce log records containing sufficient information to establish when (date and time) events occurred. | After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a... |
| V-90165 | Medium | tc Server VCAC session IDs must be sent to the client using SSL/TLS. | The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the... |
| V-90167 | Medium | tc Server HORIZON must set the useHttpOnly parameter. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers... |
| V-90161 | Medium | tc Server VCAC must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-90163 | Medium | tc Server HORIZON session IDs must be sent to the client using SSL/TLS. | The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the... |
| V-90089 | Medium | tc Server VCAC must use the setCharacterEncodingFilter filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-90083 | Medium | tc Server HORIZON must use the setCharacterEncodingFilter filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-90081 | Medium | tc Server VCO must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-90087 | Medium | tc Server VCAC must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-90085 | Medium | tc Server VCO must use the setCharacterEncodingFilter filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-90059 | Medium | tc Server ALL baseline must be documented and maintained. | Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the... |
| V-90077 | Medium | tc Server VCAC must be configured with a cross-site scripting (XSS) filter. | Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other... |
| V-90075 | Medium | tc Server VCO must be configured with a cross-site scripting (XSS) filter. | Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other... |
| V-90073 | Medium | tc Server HORIZON must be configured with a cross-site scripting (XSS) filter. | Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other... |
| V-90071 | Medium | tc Server VCAC document directory must be in a separate partition from the web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To... |
| V-89985 | Medium | tc Server VCO log files must be protected from unauthorized modification. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-89987 | Medium | tc Server VCAC log files must be protected from unauthorized modification. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-89981 | Medium | tc Server VCAC log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89983 | Medium | tc Server HORIZON log files must be protected from unauthorized modification. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-90159 | Medium | tc Server HORIZON must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-89929 | Medium | tc Server VCO must capture, record, and log all content related to a user session. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90151 | Medium | tc Server VCAC must use NSA Suite A cryptography when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-89927 | Medium | tc Server HORIZON must capture, record, and log all content related to a user session. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90153 | Medium | tc Server HORIZON must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration.
As a Tomcat... |
| V-89925 | Medium | tc Server ALL must initiate logging during service start-up. | An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available... |
| V-90155 | Medium | tc Server VCO must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration.
As a Tomcat... |
| V-89923 | Medium | tc Server VCAC must generate log records for user access and authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-90157 | Medium | tc Server VCAC must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration.
As a Tomcat... |
| V-89921 | Medium | tc Server VCO must generate log records for user access and authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-90099 | Medium | tc Server VCO must have the allowTrace parameter set to false. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-90091 | Medium | tc Server HORIZON must set the welcome-file node to a default web page. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |
| V-90093 | Medium | tc Server VCO must set the welcome-file node to a default web page. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |
| V-90095 | Medium | tc Server VCAC must set the welcome-file node to a default web page. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |
| V-90097 | Medium | tc Server HORIZON must have the allowTrace parameter set to false. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-90101 | Medium | tc Server VCAC must have the allowTrace parameter set to false. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-90003 | Medium | tc Server VCO must not use the tomcat-users XML database for user management. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other... |
| V-90001 | Medium | tc Server HORIZON must not use the tomcat-users XML database for user management. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other... |
| V-90007 | Medium | tc Server ALL must only contain services and functions necessary for operation. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-90005 | Medium | tc Server VCAC must not use the tomcat-users XML database for user management. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other... |
| V-89885 | Medium | tc Server VCAC must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the... |
| V-89959 | Medium | tc Server VCO must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining... |
| V-89883 | Medium | tc Server VCO must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the... |
| V-89953 | Medium | tc Server VCO must produce log records containing sufficient information to establish the source of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-89951 | Medium | tc Server HORIZON must produce log records containing sufficient information to establish the source of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-89889 | Medium | tc Server VCO must limit the amount of time that each TCP connection is kept alive. | Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests.... |
| V-89955 | Medium | tc Server VCAC must produce log records containing sufficient information to establish the source of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90011 | Medium | tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. | Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the... |
| V-90013 | Medium | tc Server ALL must have all mappings to unused and vulnerable scripts to be removed. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-90015 | Medium | tc Server HORIZON must have mappings set for Java Servlet Pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to... |
| V-90017 | Medium | tc Server VCO must have mappings set for Java Servlet Pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to... |
| V-90019 | Medium | tc Server VCAC must have mappings set for Java Servlet Pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to... |
| V-89893 | Medium | tc Server HORIZON must limit the number of times that each TCP connection is kept alive. | KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service... |
| V-89891 | Medium | tc Server VCAC must limit the amount of time that each TCP connection is kept alive. | Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests.... |
| V-89897 | Medium | tc Server VCAC must limit the number of times that each TCP connection is kept alive. | KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service... |
| V-89895 | Medium | tc Server VCO must limit the number of times that each TCP connection is kept alive. | KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service... |
| V-89941 | Medium | tc Server VCO must produce log records containing sufficient information to establish when (date and time) events occurred. | After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a... |
| V-89943 | Medium | tc Server VCAC must produce log records containing sufficient information to establish when (date and time) events occurred. | After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a... |
| V-89945 | Medium | tc Server HORIZON must produce log records containing sufficient information to establish where within the web server the events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-89947 | Medium | tc Server VCO must produce log records containing sufficient information to establish where within the web server the events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90147 | Medium | tc Server VCAC must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.... |
| V-90145 | Medium | tc Server VCO must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.... |
| V-90029 | Medium | tc Server VCO must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web... |
| V-90143 | Medium | tc Server HORIZON must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.... |
| V-90141 | Medium | tc Server VCAC application, libraries, and configuration files must only be accessible to privileged users. | A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the... |
| V-90025 | Medium | tc Server VCO must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources that will... |
| V-90027 | Medium | tc Server VCAC must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server VCAC can continue to consume system resources that will lead... |
| V-90021 | Medium | tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed. | A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to... |
| V-90023 | Medium | tc Server HORIZON must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources that will... |
| V-90149 | Medium | tc Server HORIZON must use NSA Suite A cryptography when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-89949 | Medium | tc Server VCAC must produce log records containing sufficient information to establish where within the web server the events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90045 | Medium | tc Server VCAC must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-90043 | Medium | tc Server HORIZON must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-90041 | Medium | tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. | The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA).... |
| V-90133 | Medium | tc Server VCO must record time stamps for log records to a minimum granularity of one second. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated by the web server include date and time and... |
| V-90131 | Medium | tc Server HORIZON must record time stamps for log records to a minimum granularity of one second. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated by the web server include date and time and... |
| V-90039 | Medium | tc Server VCAC must encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-90137 | Medium | tc Server HORIZON application, libraries, and configuration files must only be accessible to privileged users. | A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the... |
| V-90135 | Medium | tc Server VCAC must record time stamps for log records to a minimum granularity of one second. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated by the web server include date and time and... |
| V-90033 | Medium | tc Server VCO must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP... |
| V-90139 | Medium | tc Server VCO application, libraries, and configuration files must only be accessible to privileged users. | A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the... |
| V-90031 | Medium | tc Server HORIZON must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP... |
| V-90037 | Medium | tc Server HORIZON must encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-90035 | Medium | tc Server VCAC must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP... |
| V-90345 | Medium | tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation. | Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application... |
| V-90347 | Medium | tc Server ALL must only allow authenticated system administrators to have access to the keystore. | The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and... |
| V-90191 | Medium | tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
| V-90341 | Medium | tc Server HORIZON must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the... |
| V-90193 | Medium | tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security... |
| V-90343 | Medium | tc Server VCAC must use cryptography to protect the integrity of remote sessions. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-90349 | Medium | tc Server ALL log files must be moved to a permanent repository in accordance with site policy. | A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic... |
| V-89899 | Medium | tc Server HORIZON must perform server-side session management. | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server... |
| V-89975 | Medium | tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure. | Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily... |
| V-90121 | Medium | tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server. | In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record... |
| V-89977 | Medium | tc Server HORIZON log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-90123 | Medium | tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the... |
| V-89971 | Medium | tc Server VCO must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90125 | Medium | tc Server HORIZON must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.
Time stamps generated by... |
| V-89973 | Medium | tc Server VCAC must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system... |
| V-90127 | Medium | tc Server VCO must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.
Time stamps generated by... |
| V-90129 | Medium | tc Server VCAC must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.
Time stamps generated by... |
| V-89979 | Medium | tc Server VCO log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
