| V-2227 | | Symbolic links must not be used in the web content directory tree. | A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensit... |
| V-2249 | | Web server administration must be performed over a secure path or at the local console. | Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as us... |
| V-2258 | | Web client access to the content directories must be restricted to read and execute. | Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this use... |
| V-13686 | | Web Administrators must only use encrypted connections for Document Root directory uploads. | Logging in to a web server via an unencrypted protocol or service, to upload documents to the web site, is a risk if proper encryption is not utilized... |
| V-2226 | | Web content directories must not be anonymously shared. | Sharing web content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the ... |
| V-2228 | | All interactive programs (CGI) must be placed in a designated directory with appropriate permissions. | CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating s... |
| V-2240 | | The number of allowed simultaneous requests must be set. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Miti... |
| V-2250 | | Logs of web server access and errors must be established and maintained | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of... |
| V-2252 | | Log file access must be restricted to System Administrators, Web Administrators or Auditors. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security ... |
| V-2254 | | Only web sites that have been fully reviewed and tested must exist on a production web server. | In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a dev... |
| V-2260 | | A web site must not contain a robots.txt file. | Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor t... |
| V-2262 | | A private web server must utilize an approved TLS version. | Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ... |
| V-2263 | | A private web server will have a valid DoD server certificate. | This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being rev... |
| V-2270 | | Anonymous FTP user access to interactive scripts is prohibited. | The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that cont... |
| V-2272 | | PERL scripts must use the TAINT option. | PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from th... |
| V-3333 | | The web document (home) directory must be in a separate partition from the web server’s system files. | Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and applica... |
| V-6531 | | Private web servers must require certificates issued from a DoD-authorized Certificate Authority. | Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind w... |
| V-13687 | | Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory. | Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mo... |
| V-13688 | | Log file data must contain required data elements. | The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable ass... |
| V-13689 | | Access to the web server log files must be restricted to administrators, web administrators, and auditors. | A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security ... |
| V-13694 | | Public web servers must use TLS if authentication is required. | Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol i... |
| V-26279 | | Error logging must be enabled. | The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. . Log data can re... |
| V-26280 | | The sites error logs must log the correct format. | The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can revea... |
| V-26281 | | System logging must be enabled. | The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can revea... |
| V-26282 | | The LogLevel directive must be enabled. | The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can revea... |
| V-2245 | | Each readable web document directory must contain either a default, home, index, or equivalent file. | The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content di... |
| V-2265 | | Java software on production web servers must be limited to class files and the JAVA virtual machine. | From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, th... |
| V-6373 | | The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is ... |
| V-15334 | | Web sites must utilize ports, protocols, and services according to PPSM guidelines. | Failure to comply with DoD ports, protocols, and services (PPS) requirements can result
in compromise of enclave boundary protections and/or functiona... |
