Web server administration will be performed over a secure path or at the console.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2249 | WG230 | SV-2249r5_rule | EBRU-1 | High |
| Description |
|---|
| Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A secure shell service or HTTPS need to be installed and in use for these purposes. Another alternative is to administer the web server from the console, which implies physical access to the server. |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-29005r1_chk ) |
|---|
| Verify that some variety of SSH is running on the web server platform. Check for an SSH daemon, querying the SA and web manager, and use the following command: Select START, Programs and look for Reflection for Secure IT or equivalent program. Some versions of Windows compatible SSH are Reflection for Secure IT, SecureCRT, NT sshd, and Tera Term with TTSSH. NOTE: If all administration is done via the server console, this is not a finding. If web server administration is being done remotely without a secure connection, this is finding. |
| Fix Text (F-2298r3_fix) |
|---|
| Ensure the web server's administration is only performed over a secure path. |