UCF STIG Viewer Logo

Web Server STIG



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-13621 High All web server documentation, sample code, example applications, and tutorials will be removed from a production web server.
V-2258 High The web client account access to the content and scripts directories will be limited to read and execute.
V-13686 High Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory.
V-6537 High Anonymous access accounts are restricted.
V-2227 High Symbolic links will not be used in the web content directory tree.
V-2249 High Web server administration will be performed over a secure path or at the console.
V-2247 High Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities.
V-2246 High Web server software will always be vendor-supported versions.
V-13620 Medium A private web server’s list of CAs in a trust hierarchy will lead to the DoD PKI Root CA, to a DoD-approved external certificate authority (ECA), or to a DoD-approved external partner.
V-2235 Medium The service account ID used to run the web site will have its password changed at least annually.
V-2236 Medium Installation of compilers on production web server is prohibited.
V-2259 Medium Web server system files will conform to minimum file permission requirements.
V-2256 Medium The access control files are owned by a privileged web server account.
V-2254 Medium Only web sites that have been fully reviewed and tested will exist on a production web server.
V-2252 Medium Only auditors, SAs or web administrators may access web server log files.
V-2250 Medium Logs of web server access and errors will be established and maintained
V-6577 Medium A web server will be segregated from other services.
V-13687 Medium Remote authors or content providers will have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
V-13688 Medium Log file data must contain required data elements.
V-6531 Medium A web server that utilizes PKI as an authentication mechanism must utilize subscriber certificates issued from a DoD-authorized Certificate Authority.
V-13689 Medium Access to the web server log files will be restricted to administrators, web administrators, and auditors.
V-3333 Medium The web document (home) directory will be in a separate partition from the web server’s system files.
V-2270 Medium Anonymous FTP user access to interactive scripts is prohibited.
V-2228 Medium All interactive programs will be placed in a designated directory with appropriate permissions.
V-2271 Medium Monitoring software will include CGI or equivalent programs in the set of files which it checks.
V-2272 Medium PERL scripts will use the TAINT option.
V-2264 Medium Wscript.exe and Cscript.exe are accessible by users other than the SA and the web administrator.
V-2263 Medium A private web server will have a valid DoD server certificate.
V-2262 Medium A private web server will utilize TLS v 1.0 or greater.
V-2225 Medium MIME types for csh or sh shell programs will be disabled.
V-13672 Medium The private web server will use an approved DoD certificate validation process.
V-2229 Medium Interactive scripts used on a web server will have proper access controls.
V-2248 Medium Access to web administration tools is restricted to the web manager and the web manager’s designees.
V-13619 Medium The web server, although started by superuser or privileged account, will run using a non-privileged account.
V-13613 Medium The site software used with the web server does not have all applicable security patches applied and documented.
V-2240 Medium The number of allowed simultaneous requests will be limited for web sites.
V-2243 Medium A private web server will be located on a separate controlled access subnet.
V-15334 Low Web sites will utilize ports, protocols, and services according to PPSM guidelines.
V-2230 Low Backup interactive scripts on the production web server are prohibited.
V-2257 Low Administrative users and groups that have access rights to the web server are documented.
V-2251 Low All utility programs, not necessary for operations, will be removed or disabled.
V-6724 Low Web server and/or operating system information will be protected.
V-2265 Low Java software installed on the production web server will be limited to class files and the JAVA virtual machine.
V-6373 Low The required DoD banner page will be displayed to authenticated users accessing a DoD private web site.
V-2260 Low A private web server will not respond to requests from public search engines.
V-2245 Low Each readable web document directory will contain either default, home, index, or equivalent file.