UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Web server administration will be performed over a secure path or at the console.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2249 WG230 SV-2249r5_rule EBRU-1 High
Description
Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A secure shell service or HTTPS need to be installed and in use for these purposes. Another alternative is to administer the web server from the console, which implies physical access to the server.
STIG Date
Web Server STIG 2010-10-07

Details

Check Text ( C-29005r1_chk )
Verify that some variety of SSH is running on the web server platform. Check for an SSH daemon, querying the SA and web manager, and use the following command:

Select START, Programs and look for Reflection for Secure IT or equivalent program. Some versions of Windows compatible SSH are Reflection for Secure IT, SecureCRT, NT sshd, and Tera Term with TTSSH.

NOTE: If all administration is done via the server console, this is not a finding.

If web server administration is being done remotely without a secure connection, this is finding.
Fix Text (F-2298r3_fix)
Ensure the web server's administration is only performed over a secure path.