| V-256745 | | The Security Token Service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-256746 | | The Security Token Service must limit the number of concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-256747 | | The Security Token Service must limit the maximum size of a POST request. | The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to r... |
| V-256748 | | The Security Token Service must protect cookies from cross-site scripting (XSS). | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are bett... |
| V-256749 | | The Security Token Service must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-256750 | | The Security Token Service must generate log records during Java startup and shutdown. | Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions ... |
| V-256751 | | Security Token Service log files must only be modifiable by privileged users. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will und... |
| V-256752 | | The Security Token Service application files must be verified for their integrity. | Verifying the Security Token Service application code is unchanged from its shipping state is essential for file validation and nonrepudiation of the ... |
| V-256753 | | The Security Token Service must only run one webapp. | VMware ships the Security Token Service on the vCenter Server Appliance (VCSA) with one webapp, in "ROOT.war". Any other ".war" file is potentially ma... |
| V-256754 | | The Security Token Service must not be configured with unused realms. | The Security Token Service performs user authentication at the application level and not through Tomcat. To eliminate unnecessary features and ensure ... |
| V-256755 | | The Security Token Service must be configured to limit access to internal packages. | The "package.access" entry in the "catalina.properties" file implements access control at the package level. When properly configured, a Security Exce... |
| V-256756 | | The Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled. | MIME mappings tell the Security Token Service what type of program various file types and extensions are and what external utilities or programs are n... |
| V-256757 | | The Security Token Service must have mappings set for Java servlet pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-256758 | | The Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed. | WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typicall... |
| V-256759 | | The Security Token Service must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, the Security Token Servic... |
| V-256760 | | The Security Token Service must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files ... |
| V-256761 | | The Security Token Service directory tree must have permissions in an out-of-the-box state. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-256762 | | The Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-256763 | | The Security Token Service must limit the number of allowed connections. | Limiting the number of established connections to the Security Token Service is a basic denial-of-service protection. Servers where the limit is too h... |
| V-256764 | | The Security Token Service must set "URIEncoding" to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256765 | | The Security Token Service must use the "setCharacterEncodingFilter" filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256766 | | The Security Token Service must set the welcome-file node to a default web page. | Enumeration techniques, such as Uniform Resource Locator (URL) parameter manipulation, rely on being able to obtain information about the web server's... |
| V-256767 | | The Security Token Service must not show directory listings. | Enumeration techniques, such as Uniform Resource Locator (URL) parameter manipulation, rely on being able to obtain information about the web server's... |
| V-256768 | | The Security Token Service must be configured to not show error reports. | Web servers will often display error messages to client users, displaying enough information to aid in the debugging of the error. The information giv... |
| V-256769 | | The Security Token Service must not enable support for TRACE requests. | "TRACE" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in... |
| V-256770 | | The Security Token Service must have the debug option disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-256771 | | The Security Token Service must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too ... |
| V-256772 | | The Security Token Service must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the at... |
| V-256773 | | The Security Token Service must set the secure flag for cookies. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of t... |
| V-256774 | | The Security Token Service default servlet must be set to "readonly". | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
| V-256775 | | Security Token Service log data and records must be backed up onto a different system or media. | Protection of Security Token Service log data includes ensuring log data is not accidentally lost or deleted. Backing up Security Token Service log re... |
