V-13621 | High | All web server documentation, sample code, example applications, and tutorials will be removed from a production web server. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally... |
V-2258 | High | The web client account access to the content and scripts directories will be limited to read and execute. | Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the... |
V-13686 | High | Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory. | Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being... |
V-6537 | High | Anonymous access accounts are restricted. | Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect... |
V-2227 | High | Symbolic links will not be used in the web content directory tree. | A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area.
When web scripts are executed and... |
V-2249 | High | Web server administration will be performed over a secure path or at the console. | Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A... |
V-2247 | High | Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
V-2246 | High | Web server software will always be vendor-supported versions. | Many vulnerabilities are associated with older versions of web server software. As hot fixes and patches are issued, these solutions are included in the next version of the server software.... |
V-13620 | Medium | A private web server’s list of CAs in a trust hierarchy will lead to the DoD PKI Root CA, to a DoD-approved external certificate authority (ECA), or to a DoD-approved external partner. | A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of... |
V-2235 | Medium | The service account ID used to run the web site will have its password changed at least annually.
| Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. The passwords on such accounts must be changed at least annually. It... |
V-2236 | Medium | Installation of compilers on production web server is prohibited. | The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s... |
V-2259 | Medium | Web server system files will conform to minimum file permission requirements. | This check verifies that the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web... |
V-2256 | Medium | The access control files are owned by a privileged web server account. | This check verifies that the key web server system configuration files are owned by the SA or by the web administrator controlled account. These same files which control the configuration of the... |
V-2254 | Medium | Only web sites that have been fully reviewed and tested will exist on a production web server. | In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing... |
V-2252 | Medium | Only auditors, SAs or web administrators may access web server log files. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and... |
V-2250 | Medium | Logs of web server access and errors will be established and maintained | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide... |
V-6577 | Medium | A web server will be segregated from other services. | To ensure a secure and functional web server, a detailed installation and configuration plan should be developed and followed. This will eliminate mistakes that arise as a result of ad hoc... |
V-13687 | Medium | Remote authors or content providers will have all files scanned for viruses and malicious code before uploading files to the Document Root directory. | Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. A remote web user, whose agency has... |
V-13688 | Medium | Log file data must contain required data elements. | The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment,... |
V-6531 | Medium | A web server that utilizes PKI as an authentication mechanism must utilize subscriber certificates issued from a DoD-authorized Certificate Authority. | A DoD private web server, existing within and available across the NIPRNet, must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring... |
V-13689 | Medium | Access to the web server log files will be restricted to administrators, web administrators, and auditors. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and... |
V-3333 | Medium | The web document (home) directory will be in a separate partition from the web server’s system files. | Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is... |
V-2270 | Medium | Anonymous FTP user access to interactive scripts is prohibited. | The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web... |
V-2228 | Medium | All interactive programs will be placed in a designated directory with appropriate permissions. | CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable programs used by the operating system of the host... |
V-2271 | Medium | Monitoring software will include CGI or equivalent programs in the set of files which it checks. | By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the... |
V-2272 | Medium | PERL scripts will use the TAINT option. | PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on... |
V-2264 | Medium | Wscript.exe and Cscript.exe are accessible by users other than the SA and the web administrator. | Windows Scripting Host (WSH) is installed under either a Typical or Custom installation option of a Microsoft Network Server. This technology permits the execution of powerful script files from... |
V-2263 | Medium | A private web server will have a valid DoD server certificate. | This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity... |
V-2262 | Medium | A private web server will utilize TLS v 1.0 or greater. | Transport Layer Security (TLS) encryption is a required security setting for a private
web server. This check precludes the possibility that a valid certificate has been obtained, but TLS has not... |
V-2225 | Medium | MIME types for csh or sh shell programs will be disabled. | Users should not be allowed to access the shell programs. Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the... |
V-13672 | Medium | The private web server will use an approved DoD certificate validation process. | Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to... |
V-2229 | Medium | Interactive scripts used on a web server will have proper access controls. | CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with... |
V-2248 | Medium | Access to web administration tools is restricted to the web manager and the web manager’s designees. | The key web service administrative and configuration tools must only be accessible by the web server staff. As these services control the functioning of the web server, access to these tools is... |
V-13619 | Medium | The web server, although started by superuser or privileged account, will run using a non-privileged account. | Running the web server with excessive privileges presents an increased risk to the web server. In the event the web server’s services are compromised, the context by which the web server is... |
V-13613 | Medium | The site software used with the web server does not have all applicable security patches applied and documented. | The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services... |
V-2240 | Medium | The number of allowed simultaneous requests will be limited for web sites. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include... |
V-2243 | Medium | A private web server will be located on a separate controlled access subnet. | Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but,... |
V-15334 | Low | Web sites will utilize ports, protocols, and services according to PPSM guidelines. | Failure to comply with DoD ports, protocols, and services (PPS) requirements can result
in compromise of enclave boundary protections and/or functionality of the AIS.
The IAM will ensure web... |
V-2230 | Low | Backup interactive scripts on the production web server are prohibited. | Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as... |
V-2257 | Low | Administrative users and groups that have access rights to the web server are documented. | There are typically several individuals and groups that are involved in running a production web site. In most cases, we can identify several types of users on a web server. These are the System... |
V-2251 | Low | All utility programs, not necessary for operations, will be removed or disabled. | Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application... |
V-6724 | Low | Web server and/or operating system information will be protected.
| The web server response header of an HTTP response can contain several fields of information including the requested HTML page. The information included in this response can be web server type and... |
V-2265 | Low | Java software installed on the production web server will be limited to class files and the JAVA virtual machine. | From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information... |
V-6373 | Low | The required DoD banner page will be displayed to authenticated users accessing a DoD private web site. | A consent banner will be in place to make prospective entrants aware that the web site they are about to enter is a DoD web site and their activity is subject to monitoring. |
V-2260 | Low | A private web server will not respond to requests from public search engines. | Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web site content. In... |
V-2245 | Low | Each readable web document directory will contain either default, home, index, or equivalent file. | The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |