UCF STIG Viewer Logo

A web server will be segregated from other services.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6577 WG204 SV-6683r4_rule DCPA-1 Medium
Description
To ensure a secure and functional web server, a detailed installation and configuration plan should be developed and followed. This will eliminate mistakes that arise as a result of ad hoc decisions made during the default installation of a server. Planners should not attempt to support multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, and indexing or streaming media on the same server that is providing the web publishing service. In the case of File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Network News Transport Protocol (NNTP), a well-defined need for these services should be documented by the IAO prior to their installation on the same platform as a web server. Primary and secondary Domain Controllers, in the Windows environment, will not share a common platform with a web server World Wide Web (WWW) service. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, email server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any services or protocols that are not necessary should be removed. A web server may incorporate any number of allowed web services that may be necessary to successfully deliver its mission objectives and as long as those web services are properly configured, secured, and they are not specifically prohibited, then their usage is not prohibited but will be governed by the Enclave, the Application Security and Development, or the Web Services STIG (when developed). These services should be delivered from the application server. A separate platform in the context of this vulnerability refers to physical, logical, or virtual separation of web server and operating system services; however, the separation associated with application, database, or other servers is governed by the DoD Internet-NIPRNet DMZ STIG.
STIG Date
Web Server STIG 2010-10-07

Details

Check Text ( C-29993r1_chk )
Request a copy of and review the web server’s installation and configuration plan. The reviewer should ensure that the server is in compliance with this plan. If the server is not in compliance with the plan, this is a finding.

Query the SA to ascertain if and where the additional services are installed.

Confirm that the additional service or application is not installed on the same partition as the operating systems root directory or the web document root. If it is, this is a finding.
Fix Text (F-26852r1_fix)
Move or install additional services and applications to partitions that are not the operating system root or the web document root.