A public web server’s resources (e.g., drives, folders, printers, etc.) will not be shared with private assets.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2234	WG040	SV-2234r6_rule	EBPW-1	Medium

Description
It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that isolates inbound traffic from the external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network.

Description

It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that isolates inbound traffic from the external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network.

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-29894r1_chk )
The reviewer should query the IAO, the SA, or the web administrator as necessary to determine if the public web server has a two-way trusted relationship with any private asset located within the NIPRNet or the SIPRNet. Private web server resources (e.g., drives, folders, printers, etc.) will not be directly mapped to or shared with public web servers. The following check indicates an inappropriate sharing of public web server resources: Navigate to the web server content folders/directories. These directories must not be shared. On the web server content folder, right-click on Properties, then select sharing. All entries must be disabled. If sharing is selected for any web folder, this is a finding. The following checks indicate inappropriate sharing of private resources with the public web server: 1. From a command prompt, type net share and Enter. This will provide a list of available shares. 2. Check to see if file and printer or file-sharing is enabled under the Network icon in the Control Panel. If private resources (e.g., drives, partitions, folders/directories, printers, etc.) are shared with the public web server, this is a finding.

Check Text ( C-29894r1_chk )

The reviewer should query the IAO, the SA, or the web administrator as necessary to determine if the public web server has a two-way trusted relationship with any private asset located within the NIPRNet or the SIPRNet. Private web server resources (e.g., drives, folders, printers, etc.) will not be directly mapped to or shared with public web servers.

The following check indicates an inappropriate sharing of public web server resources:

Navigate to the web server content folders/directories. These directories must not be shared. On the web server content folder, right-click on Properties, then select sharing. All entries must be disabled.

If sharing is selected for any web folder, this is a finding.

The following checks indicate inappropriate sharing of private resources with the public web server:

1. From a command prompt, type net share and Enter. This will provide a list of available shares.
2. Check to see if file and printer or file-sharing is enabled under the Network icon in the Control Panel.

If private resources (e.g., drives, partitions, folders/directories, printers, etc.) are shared with the public web server, this is a finding.

Fix Text (F-26795r1_fix)
Configure the public web server to not have a trusted relationship with any system resource that is also not accessible to the public. Web content is not to be shared via Microsoft shares or NFS mounts.