UCF STIG Viewer Logo

Only fully reviewed and tested web sites must exist on a production web server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2254 WG260 IIS6 SV-38069r2_rule ECSC-1 Medium
Description
In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files revealing business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security, which is totally avoidable.
STIG Date
IIS6 Site 2015-06-01

Details

Check Text ( C-37435r2_chk )
The reviewer should query the ISSO, SA, and Web Manager to find out if development web sites are being housed on production web servers.

Definition: A production web server is any web server connected to a production network, regardless of its role.

Proposed Questions:
Do you have development sites on your production web server?
What is your process to get development web sites / content posted to the production server?
Do you use under construction notices on production web pages?

A manual cehck can be completed by navigating to the web site via a browser and confirm the information provided by the web staff.

If development web content is discovered on the production web server, this is a finding.
Fix Text (F-32679r1_fix)
Ensure any pages in development are not installed on a production web server.