Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-2242 | WA060 | SV-2242r5_rule | EBPW-1 ECIC-1 | Medium |
Description |
---|
To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers also refer to web servers that may be located on non-public networks and contain information that is approved for release to the entire community. Public web servers must not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) or in an isolated separate public enclave (subnet). This trusted connection is not to be confused with a Microsoft Domain trust. A trusted connection can be an attachment to Microsoft shares, in UNIX as Network File System (NFS) mounts, as well as connections to interior enclave printers. This relationship can also be found with connections from public web servers to interior enclave databases. |
STIG | Date |
---|---|
Web Server STIG | 2010-10-07 |
Check Text ( C-29914r1_chk ) |
---|
The reviewer will question the IAO, the SA, or the web administrator to see where the public web server is logically located on the site’s LAN. The reviewer will review the site’s network diagram, available from the NSO, to see how the web server is connected to the LAN. Based on these discussions and the LAN diagram, the reviewer should visually check the web server hardware connections to see if it is in conformance with the site’s network diagram. A public web server must be located in a DMZ. This is normally a subnet isolated from internal LANs. An improperly located public web server is a potential threat to the entire network. NOTE: If there is a network reviewer available, he or she should be able to provide much of the information needed to validate this check. Proposed Questions: What devices (i.e., router, switch, firewall, etc.) lie between the web server and Internet connectivity? Is the web server on a separate subnet? Is the web server on a LAN with servers and workstations dedicated to functions not intended for public access? If the web server is not isolated in accordance with the DoD Enclave and Internet-NIPRNet DMZ STIGs, this is a finding. |
Fix Text (F-26804r1_fix) |
---|
Relocate the public web servers to be isolated from internal systems. In addition, ensure the public web servers do not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) or isolated separate public enclave (subnet). |