| V-255251 | | The SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon... |
| V-255253 | | SSMC web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided. | The SSMC web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or com... |
| V-255254 | | SSMC web server must use cryptography to protect the integrity of remote sessions. | Data exchanged between the user and the web server can range from static display data to credentials used to Log on to the hosted application. Even wh... |
| V-255252 | | SSMC web server must limit the number of allowed simultaneous session requests. | Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed ... |
| V-255255 | | SSMC web server must generate information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to... |
| V-255256 | | SSMC web server must generate information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to... |
| V-255257 | | SSMC web server must generate information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to... |
| V-255258 | | The SSMC web server must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utiliz... |
| V-255259 | | The SSMC web server must perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path vali... |
| V-255260 | | SSMC web server must set an absolute timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-255261 | | SSMC web server must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-255262 | | SSMC web server must set an inactive timeout for shell sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-255263 | | SSMC web server must restrict connections from nonsecure zones. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to... |
| V-255264 | | SSMC web server application, libraries, and configuration files must only be accessible to privileged users. | A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes... |
| V-255265 | | SSMC web server must enable strict two-factor authentication for access to the webUI. | Accounts secured with only a password are subject to multiple forms of attack, from brute force, to social engineering. By enforcing strict two-factor... |
| V-255266 | | SSMC web server must not impede the ability to write specified log record content to an audit log server. | Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of a... |
| V-255267 | | SSMC web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server persp... |
| V-255268 | | SSMC web server must initiate session logging upon start up. | An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key in... |
| V-255269 | | SSMC web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure. | Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential t... |
