| V-2246 | | The web server must use a vendor-supported version of the web server software. | Many vulnerabilities are associated with old versions of web server software. As hot fixes and patches are issued, these solutions are included in the... |
| V-2247 | | Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-13591 | | Classified web servers will be afforded physical security commensurate with the classification of its content. | When data of a classified nature is migrated to a web server, fundamental principles applicable to the safeguarding of classified material must be fol... |
| V-13621 | | All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may o... |
| V-13733 | | Server side includes (SSIs) must run with execution capability disabled. | The Options directive configures the web server features that are available in particular directories. The IncludesNOEXEC feature controls the abilit... |
| V-2232 | | The web server service password(s) must be entrusted to the SA or Web Manager. | Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run... |
| V-2234 | | Public web server resources must not be shared with private assets. | It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When fo... |
| V-2235 | | The service account used to run the web service must have its password changed at least annually. | Normally, a service account is established for the web service to run under rather than permitting it to run as part of the local system. The password... |
| V-2236 | | Installation of a compiler on production web server must be prohibited. | The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan ... |
| V-2242 | | A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. | To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web server... |
| V-2243 | | A private web server must be located on a separate controlled access subnet. | Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Inside... |
| V-2248 | | Web administration tools must be restricted to the web manager and the web manager’s designees. | All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration... |
| V-2255 | | The web server’s htpasswd files (if present) must reflect proper ownership and permissions. | In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition t... |
| V-2256 | | The access control files are owned by a privileged web server account. | This check verifies that the key web server system configuration files are owned by the SA or Web Manager controlled account. These same files which c... |
| V-2259 | | Web server system files must conform to minimum file permission requirements. | This check verifies that the key web server system configuration files are owned by the SA or Web Manager controlled account. These same files which c... |
| V-2261 | | A public web server must limit e-mail to outbound only. | Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additiona... |
| V-2264 | | Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. | Windows Scripting Host (WSH) is installed under either a Typical or Custom installation option of a Microsoft Network Server. This technology permits ... |
| V-2271 | | Monitoring software must include CGI or equivalent programs in its scope. | By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI ... |
| V-6577 | | A web server installation must be segregated from other services. | The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, d... |
| V-13613 | | The site software used with the web server must have all applicable security patches applied and documented. | The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software enviro... |
| V-13619 | | The web server, although started by superuser or privileged account, must run using a non-privileged account. | Running the web server with excessive privileges presents an increased risk to the web server. In the event the web server’s services are compromised,... |
| V-13620 | | A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA. | A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users... |
| V-13672 | | The private web server must use an approved DoD certificate validation process. | Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This wou... |
| V-13687 | | Remote authors or content providers must have all files scanned for malware before uploading files to the Document Root directory. | Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mob... |
| V-13724 | | The Timeout directive must be properly set. | These Timeout requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning t... |
| V-13725 | | The KeepAlive directive must be enabled. | The KeepAlive extension to HTTP/1.0 and the persistent connection feature of HTTP/1.1 provide long lived HTTP sessions which allow multiple requests t... |
| V-13726 | | The KeepAliveTimeout directive must be defined. | The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value spe... |
| V-13731 | | All interactive programs must be placed in a designated directory with appropriate permissions. | CGI scripts are one of the most exploited vulnerabilities on web servers. CGI script execution in Apache can be accomplished via two methods. The fi... |
| V-13732 | | The FollowSymLinks setting must be disabled. | The Options directive configures the web server features that are available in particular directories. The FollowSymLinks option controls the ability ... |
| V-13734 | | The MultiViews directive must be disabled. | Apache HTTPD supports content negotiation as described in the HTTP/1.1 specification. It can choose the best representation of a resource based on the... |
| V-13735 | | Directory indexing must be disabled on directories not containing index files. | Directory options directives are directives that can be applied to further restrict access to file and directories.
If a URL which maps to a director... |
| V-13736 | | The HTTP request message body size must be limited. | Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The e... |
| V-13737 | | The HTTP request header fields must be limited. | Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The e... |
| V-13738 | | The HTTP request header field size must be limited. | Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The e... |
| V-13739 | | The HTTP request line must be limited. | Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The e... |
| V-26285 | | Active software modules must be minimized. | Modules are the source of Apache httpd servers core and dynamic capabilities. Thus not every module available is needed for operation. Most installati... |
| V-26287 | | Web Distributed Authoring and Versioning (WebDAV) must be disabled. | The Apache mod_dav and mod_dav_fs modules support WebDAV ('Web-based Distributed Authoring and Versioning') functionality for Apache. WebDAV is an ext... |
| V-26294 | | Web server status module must be disabled. | The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module pro... |
| V-26299 | | The web server must not be configured as a proxy server. | The Apache proxy modules allow the server to act as a proxy (either forward or reverse proxy) of http and other protocols with additional proxy module... |
| V-26302 | | User specific directories must not be globally enabled. | The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The di... |
| V-26305 | | The process ID (PID) file must be properly secured. | The PidFile directive sets the path to the process ID file to which the server records the process ID of the server, which is useful for sending a sig... |
| V-26322 | | The ScoreBoard file must be properly secured. | The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the direc... |
| V-26323 | | The web server must be configured to explicitly deny access to the OS root. | The Apache Directory directive allows for directory specific configuration of access controls and many other features and options. One important usage... |
| V-26324 | | Web server options for the OS root must be disabled. | The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes,... |
| V-26325 | | The TRACE method must be disabled. | Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details http://httpd.apache.... |
| V-26326 | | The web server must be configured to listen on a specific IP address and port. | The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to... |
| V-26327 | | The URL-path name must be set to the file path name or the directory path name. | The ScriptAlias directive controls which directories the Apache server "sees" as containing scripts. If the directive uses a URL-path name that is di... |
| V-26368 | | Automatic directory indexing must be disabled. | To identify the type of web servers and versions software installed it is common for attackers to scan for icons or special content specific to the se... |
| V-26393 | | The ability to override the access configuration for the OS root directory must be disabled. | The Apache OverRide directive allows for .htaccess files to be used to override much of the configuration, including authentication, handling of docum... |
| V-26396 | | HTTP request methods must be limited. | The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For example, methods such as PUT and DELETE ar... |
| V-60709 | | The web server must remove all export ciphers from the cipher suite. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order... |
| V-2230 | | Backup interactive scripts on the production web server must be prohibited. | Copies of backup files will not execute on the server, but can be read by the anonymous user if special precautions are not taken. Such backup copies ... |
| V-2251 | | All utility programs, not necessary for operations, must be removed or disabled. | Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and pro... |
| V-2257 | | Administrative users and groups that have access rights to the web server must be documented. | There are typically several individuals and groups that are involved in running a production web site. In most cases, we can identify several types of... |
| V-6485 | | Web server content and configuration files must be part of a routine backup program. | Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the curre... |
| V-6724 | | Web server and/or operating system information must be protected. | The web server response header of an HTTP response can contain several fields of information including the requested HTML page. The information includ... |
