A public web server will be physically and logically isolated in accordance with the DoD Internet-NIPRNet DMZ STIG and the DoD Enclave STIG.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2242	WA060	SV-2242r5_rule	EBPW-1 ECIC-1	Medium

Description
To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers also refer to web servers that may be located on non-public networks and contain information that is approved for release to the entire community. Public web servers must not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) or in an isolated separate public enclave (subnet). This trusted connection is not to be confused with a Microsoft Domain trust. A trusted connection can be an attachment to Microsoft shares, in UNIX as Network File System (NFS) mounts, as well as connections to interior enclave printers. This relationship can also be found with connections from public web servers to interior enclave databases.

Description

To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers also refer to web servers that may be located on non-public networks and contain information that is approved for release to the entire community. Public web servers must not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) or in an isolated separate public enclave (subnet). This trusted connection is not to be confused with a Microsoft Domain trust. A trusted connection can be an attachment to Microsoft shares, in UNIX as Network File System (NFS) mounts, as well as connections to interior enclave printers. This relationship can also be found with connections from public web servers to interior enclave databases.

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-29914r1_chk )
The reviewer will question the IAO, the SA, or the web administrator to see where the public web server is logically located on the site’s LAN. The reviewer will review the site’s network diagram, available from the NSO, to see how the web server is connected to the LAN. Based on these discussions and the LAN diagram, the reviewer should visually check the web server hardware connections to see if it is in conformance with the site’s network diagram. A public web server must be located in a DMZ. This is normally a subnet isolated from internal LANs. An improperly located public web server is a potential threat to the entire network. NOTE: If there is a network reviewer available, he or she should be able to provide much of the information needed to validate this check. Proposed Questions: What devices (i.e., router, switch, firewall, etc.) lie between the web server and Internet connectivity? Is the web server on a separate subnet? Is the web server on a LAN with servers and workstations dedicated to functions not intended for public access? If the web server is not isolated in accordance with the DoD Enclave and Internet-NIPRNet DMZ STIGs, this is a finding.

Check Text ( C-29914r1_chk )

The reviewer will question the IAO, the SA, or the web administrator to see where the public web server is logically located on the site’s LAN. The reviewer will review the site’s network diagram, available from the NSO, to see how the web server is connected to the LAN. Based on these discussions and the LAN diagram, the reviewer should visually check the web server hardware connections to see if it is in conformance with the site’s network diagram. A public web server must be located in a DMZ. This is normally a subnet isolated from internal LANs. An improperly located public web server is a potential threat to the entire network.

NOTE: If there is a network reviewer available, he or she should be able to provide much of the information needed to validate this check.

Proposed Questions:

What devices (i.e., router, switch, firewall, etc.) lie between the web server and Internet connectivity?
Is the web server on a separate subnet?
Is the web server on a LAN with servers and workstations dedicated to functions not intended for public access?

If the web server is not isolated in accordance with the DoD Enclave and Internet-NIPRNet DMZ STIGs, this is a finding.

Fix Text (F-26804r1_fix)
Relocate the public web servers to be isolated from internal systems. In addition, ensure the public web servers do not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) or isolated separate public enclave (subnet).