Free DISA STIG and SRG Library | Vaulted

IIS 7.0 Server STIG

Version 1 Release 1817
2019-04-262018-10-26
U_MS_IIS_7-0_Server_STIG_V1R187_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Compare Summary

Compare V1R18 to V1R17
  • All
  • Updated 19
  • Added 0
  • Removed 111

Vulnerabilities (135)

Removed

V-13613

The site software used with the web server does not have all applicable security patches applied and documented.

Finding ID
WA230
Rule ID
SV-14189r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA230
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services available to notify users of known security threats. The site needs to be aware of these fixes and make determinations based on local policy and what software features are installed, if these patches need to be applied. In some cases, patches also apply to middleware and database systems. Maintaining the security of web servers requires frequent reviews of security notices. Many security notices mandate the installation of a software patch to overcome security vulnerabilities. SAs and IAOs should regularly check the vendor support web site for patches and information related to the web server software. All applicable security patches will be applied to the operating system and to the web server software. Security patches are deemed applicable if the product is installed, even if it is not used or is disabled.

Fix Text

Establish a detailed process as part of the configuration management plan to stay compliant with all web server security-related patches.

Check Content

Query the web administrator to determine if the site has a detailed process as part of its configuration management plan to stay compliant with all security-related patches. Proposed Questions: How does the SA stay current with web server vendor patches? How is the SA notified when a new security patch is issued by the vendor? (Exclude the IAVM.) What is the process followed for applying patches to the web server? If the site is not in compliance with all applicable security patches, this is a finding.

Responsibility

Information Assurance Officer

Removed

V-13619

The web server, although started by superuser or privileged account, is not run using a non- privileged account.

Finding ID
WG275
Rule ID
SV-14201r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG275
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Running the web server with excessive privileges presents an increased risk to the web server. In the event the web server’s services are compromised, the context by which the web server is running will determine the amount of damage that may be caused by the attacker. If the web server is run as an administrator or as an equivalent account, the attacker will gain administrative access through the web server. If, on the other hand, the web server is running with least privilege required to function, the capabilities of the attacker will be greatly decreased.

Fix Text

The site needs to configure the web server to run using a non- privileged account.

Check Content

The reviewer will need to determine which account the web server is using to run and determine the privileges that account has. If the account has administrative or superuser privilege, the SA will need to provide justification showing that this type of account is necessary for the function and operation of the web server. Right-click on My Computer and select Manage. Then Select Local Users and Groups. Examine the account that is used to run the web server and determine its group affiliations. If the account is a member of a privileged group such as Administrators, and the web server is running with this account, this is a finding. If the web server is being run with excessive privileges, this is a finding.

Responsibility

System Administrator

Removed

V-13620

A private web server’s list of CAs in a trust hierarchy will lead to the DoD PKI Root CA, to a DoD-approved external certificate authority (ECA), or to a DoD-approved external partner.

Finding ID
WG355
Rule ID
SV-14204r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG355
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatically and the user is notified only if the authentication fails. The authentication process between the server and the client is performed using the SSL/TLS protocol. Digital certificates are authenticated, issued, and managed by a trusted Certificate Authority (CA). The use of a trusted certificate validation hierarchy is crucial to the ability to control access to a site’s server and to prevent unauthorized access. Only DoD-approved PKIs will be utilized.

Fix Text

Configure the web server’s trust store to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).

Check Content

Enter the following command: find / -name ssl.conf note the path of the file. grep "SSLCACertifcateFile" /path/of/ssl.conf file. Review the results to determine the path of the SSLCACertifcateFile. more /path/of/ca-bundle.crt file. Examine the contents of this file to determine if the trusted CAs are DoD approved. If the trusted CAs that are used to authenticate users to the web site does not lead to an approved DoD CA, then this is a finding. NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function. DoD approved certificate can include the External Certficiate Authorities (ECA), if approved by the DAA. The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs.

Responsibility

System Administrator

Removed

V-13686

Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory.

Finding ID
WG235
Rule ID
SV-14278r2_rule
Severity
Cat I
CCE
(None)
Group Title
WG235
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.

Fix Text

Use only secure encrypted logons and connections for uploading files to the web site.

Check Content

Query the SA to determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding.

Responsibility

Web Administrator

Removed

V-13687

Remote authors or content providers must have all files scanned for malware before uploading files to the Document Root directory.

Finding ID
WG237 W22
Rule ID
SV-40826r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG237
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate Document Root directory.

Fix Text

Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server.

Check Content

Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. Query the SA to determine if there is anti-virus software active on the server with auto-protect enabled, or if there is another process in place for the scanning of files being posted by remote authors. If there is no virus software on the system with auto-protect enabled, or if there is not a process in place to ensure all files being posted are being virus scanned before being saved to the document root, this is a finding.

Responsibility

System Administrator

Removed

V-13688

Log file data must contain required data elements.

Finding ID
WG242
Rule ID
SV-14282r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG242
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.

Fix Text

Configure the web server to ensure the log file data includes the required data elements.

Check Content

To verify the log settings: Default UNIX location: /usr/local/apache/logs/access_log If this directory does not exist, you can search the web server for the httpd.conf file to determine the location of the logs. Items to be logged are as shown in this sample line in the httpd.conf file: LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" " combined If the web server is not configured to capture the required audit events for all sites and virtual directories, this is a finding.

Responsibility

System Administrator

Removed

V-13689

Access to the web server log files will be restricted to administrators, web administrators, and auditors.

Finding ID
WG255
Rule ID
SV-14286r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG255
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web administrator with valuable information. Because of the information that is captured in the logs, it is critical that only authorized individuals have access to the logs.

Fix Text

To ensure the integrity of the data that is being captured in the log files, ensure that only the members of the Auditors group, Administrators, and the user assigned to run the web server software is granted permissions to read the log files.

Check Content

Look for the presence of log files at: /usr/local/apache/logs/access_log To ensure the correct location of the log files, examine the "ServerRoot" directive in the htttpd.conf file and then navigate to that directory where you will find a subdirectory for the logs. Determine permissions for log files, from the command line: cd to the directory where the log files are located and enter the command: ls –al *log and note the owner and group permissions on these files. Only the Auditors, Web Managers, Administrators, and the account that runs the web server should have permissions to the files. If any users other than those authorized have read access to the log files, this is a finding.

Responsibility

System Administrator

Removed

V-13694

Public web servers will use TLS if authentication is required.

Finding ID
WG342
Rule ID
SV-14298r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG342
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

TLS encryption is optional for a public web server. However, if authentication and encryption are used, then the use of TLS is required. Transactions encrypted with DoD PKI certificates are necessary when information being transferred is not intended to be accessed by all parties on the network. To the extent that this standard applies, this check is valid for the SIPRNet also. FIPS 140-2 compliance includes: TLS V1.0 or greater TLS must be enabled; the use of SSL disabled Configuration of required cryptographic modules as specified by NIST CVMP

Fix Text

Edit the httpd.conf file and set the SSLProtocol to TLSv1 and the SSLEngine to On.

Check Content

Enter the following command: /usr/local/apache2/bin/httpd –M This will provide a list of all the loaded modules. Verify that the “ssl_module” is loaded. If this module is not found, then this is a finding. After determining that the ssl module is active, enter the following command: grep "SSL" /usr/local/apache2/conf/httpd.conf Review the SSL sections of the httpd.conf file, All enabled SSLProtocol directives must be setto “TLSv1”, If not then this is a finding. All enabled SSLEngine directive must be set to “on”, If not then this a finding. NOTE: In some cases web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the web sites may be installed on the content switch vs, the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the web sites.

Responsibility

System Administrator

Removed

V-13698

The IISADMPWD directory has not been removed from the Web server.

Finding ID
WA000-WI035
Rule ID
SV-14308r1_rule
Severity
Cat I
CCE
(None)
Group Title
WA000-WI035
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates. The capabiltiy to be able to change passwords externally gives potential intruders an easier mechanism to access the system in an effort to compromise userids and passwords.

Fix Text

If possible, ensure the IISADMPWD directory has been removed from the web server. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators. NOTE: You may be able to delete the .dll in the IISADMOWD folder by going into safe mode and deleting it. This will not work for the folder. If the IISADMPWD directory cannot be deleted set the permissions as follows: Administrators - Full Control System - Full Control Also, review all web sites associated with this server and ensure any virtual directories pointing to IISADMPWD are removed. A virtual directory will be a child directory to a web site.

Check Content

Using Explorer, Navigate to the %systemroot%\system32\inetsrv directory on the web server. If the IISADMPWD directory does not exist, this is NOT a finding and you can stop the check procedure here. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators. If the IISADMPWD directory exists on the server, review the permissions on this directory and files within the directory. The permissions should be as follows: Administrators - Full Control System - Full Control If any other user or group has permissions to this directory, this is a finding. If the permissions are set correctly, please use the IIS Services Manager and review the web sites to see if there is a virtual directory associated with any of the sites pointing to the IISADMPWD directory. A virtual directory will be a child directory to a web site. If any of these directories point to the IISADMPWD directory, this is a finding, even if the permissions are set correctly. NOTE: There is a possibility that the automated check will result in a false positive condition. This could occur if you have renamed the Administrators account. If the account that is causing the finding has access to this directory is in the Administrators group, this would not be a finding. --------------------

Responsibility

Web Administrator

Removed

V-13699

The IIS web site permissions "Write" or "Script Source" must not be selected.

Finding ID
WA000-WI092 IIS6
Rule ID
SV-38020r1_rule
Severity
Cat I
CCE
(None)
Group Title
WA000-WI092
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the web sites on the server. It can override inheritance by configuring the individual site or site element. These permissions control what users can access from the web site. If Read is selected, then source of the pages can be read, if Write is selected, then pages can be written to or updated. If the Script Source Access is checked, source code for scripts can be viewed. This option is not available if neither Read nor Write is selected. Allowing users' access to the source of the web pages, may provide the user with more information than they are authorized to see. This is especially an issue for the source code for scripts on the web server.

Fix Text

1. Open the IIS Manager > Right click on the website (including directories, sub-directories, virtual directories, and files) being reviewed > Select Properties > Select the Home Directory (Directory, Virtual Directory, or File) tab. 2. Uncheck the Write and/or the Script source access permissions.

Check Content

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. If the IIS web site permissions "Write" or “Script source access” are selected, this is a finding. NOTE: This should be completed for all directories (including sub-directories), virtual directories, and files for the site being reviewed.

Responsibility

Web Administrator

Removed

V-13701

The command shell options are not disabled.

Finding ID
WA000-WI110
Rule ID
SV-14311r1_rule
Severity
Cat I
CCE
(None)
Group Title
WA000-WI110
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The command shell can be used to call arbitrary commands at the Web server from within an HTML page.

Fix Text

Ensure the shell command is disabled. Set the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters To the following value: SSIEnableCmdDirective REG_DWORD 0

Check Content

Ensure the shell command is disabled. Check the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters For the following value: SSIEnableCmdDirective REG_DWORD 0 If the value is not a REG_DWORD= 0, this is a finding. If the registry key does not exist for IIS 5 or IIS 6, this would not be a finding as it defaults to disabled. Previous versions of IIS should be marked as a finding if the key does not exist. --------------------

Responsibility

Web Administrator

Removed

V-13702

The Content Location header contains proprietary IP addresses.

Finding ID
WA000-WI120
Rule ID
SV-14312r1_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI120
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather than the FQDN or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to sending the FQDN instead. The value that needs to be set is the w3svc/UseHostName, and it needs to be set to True. The other option to prevent this from occurring is to use Active Server Pages instead of static HTML pages and create a custom header that sends back a specific Content-Location. For complete instructions on this issue, please refer to Microsoft Knowledge Base article Q218180.

Fix Text

Set the value on an IIS 5.0 server: 1. Open a command window (cmd). 2. Change the directory to: inetpub\adminscripts. Note This may vary depending on your installation of Internet Information Server. 3. Type the following syntax: adsutil set w3svc/UseHostName True By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer. 4. We recommend that you restart the Inetinfo service or restart your computer after you make this modification. To stop the Inetinfo process, type the following at the command line: net stop iisadmin /y Note Make a note of what services are stopped so that you can restart them. 5. Type the following: Net start w3svc Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.

Check Content

Open a command prompt and navigate to the Inetpub\adminscripts directory. From there, enter the following command: adsutil.vbs get w3svc/usehostname The utiity will either return an error message that the property does not exist, if this is the case, this is a finding. It may also return either a true or false value. If it is false, this is a finding. NOTE: You may have to put cscript in front of the command. "cscript adsutil.vbs get w3svc/x/usehostname". NOTE: If the directory does not exist, you can search the system for the adsutil.vbs file. If the file does not exist, you will need to work with the SA to determine where the tool to query the metabase is located. --------------------

Responsibility

Web Administrator

Removed

V-13703

The website must have a unique application pool.

Finding ID
WA000-WI6010 IIS7
Rule ID
SV-32515r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6010
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section click on the application pool name, then click on the application pool selection button. 5. Select the desired application pool in the application pool dialogue box.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Click the Advanced Settings in the Action Pane. 4. Under the General section review the application pool name. 5. If any websites share an application pool, this is a finding.

Responsibility

Web Administrator

Removed

V-13704

The Recycle Worker processes in minutes monitor must be set properly.

Finding ID
WA000-WI6020 IIS6
Rule ID
SV-38134r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6020
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.

Fix Text

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (in minutes) check box is checked and set the value to 1740 or less. 3. Press OK.

Check Content

1. Open the IIS Manager > Right click on the Application Pool that corresponds to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (in minutes) check box is checked and the value is set to 1740 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Responsibility

Web Administrator

Removed

V-13705

The maximum number of requests an application pool can process must be set.

Finding ID
WA000-WI6022 IIS6
Rule ID
SV-38132r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6022
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.

Fix Text

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (number of requests) is enabled and the value is set to 35000 or less.

Check Content

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the web site being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (number of requests) is enabled and the value is set to 35000 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Responsibility

Web Administrator

Removed

V-13706

The maximum virtual memory monitor must be enabled.

Finding ID
WA000-WI6024 IIS6
Rule ID
SV-38033r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6024
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.

Fix Text

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the maximum virtual memory monitor is enabled and the value is set to 792 or less.

Check Content

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Maximum virtual memory monitor is enabled and the value is set to 792 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Responsibility

Web Administrator

Removed

V-13707

The maximum used memory monitor must be enabled.

Finding ID
WA000-WI6026 IIS6
Rule ID
SV-38130r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6026
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.

Fix Text

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the maximum used memory is enabled and the value is set to 192 or less.

Check Content

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the maximum used memory is enabled and the value is set to 192 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Responsibility

Web Administrator

Removed

V-13708

The Idle Timeout monitor must be enabled.

Finding ID
WA000-WI6028 IIS7
Rule ID
SV-32572r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6028
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received. The purpose of this attribute is to conserve system resources; the default value for idle time-out is 20 minutes. By default, the World Wide Web (WWW) service establishes an overlapped recycle, in which the worker process to be shut down is kept running until after a new worker process is started.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Idle Time-out to 20.

Check Content

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Idle Time out is set to 20. If not, this is a finding. NOTE: If the site has operational reasons to set Idle Time out to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

Removed

V-13709

The maximum queue length for HTTP.sys must be managed.

Finding ID
WA000-WI6030 IIS7
Rule ID
SV-32573r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6030
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the application pool.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and set the value for Queue Length to 1000.

Check Content

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the General section and ensure the value for Queue Length is set to 1000. If not, this is a finding. NOTE: If the site has operational reasons to set Queue Length to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

Removed

V-13710

An application pool’s pinging monitor must be enabled.

Finding ID
WA000-WI6032 IIS7
Rule ID
SV-32574r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6032
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled to confirm worker processes are functional. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions; for example, instability caused by an application.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and set the value for Ping Enabled to True.

Check Content

1. Open the Internet Information Services (IIS) Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Process Model section and ensure the value for Ping Enabled is set to True. If not, this is a finding.

Responsibility

Web Administrator

Removed

V-13711

An application pool’s rapid fail protection must be enabled.

Finding ID
WA000-WI6034 IIS7
Rule ID
SV-32603r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6034
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Rapid fail protection is a feature that interrogates the health of worker processes associated with web sites and web applications. It can be configured to perform a number of actions such as shutting down and restarting worker processes that have reached failure thresholds. By not setting rapid fail protection the web server could become unstable in the event of a worker process crash potentially leaving the web server unusable.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Enabled to True.

Check Content

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Enabled is set to True. If not, this is a finding.

Responsibility

Web Administrator

Removed

V-13712

An application pool’s rapid fail protection settings must be managed.

Finding ID
WA000-WI6036 IIS7
Rule ID
SV-32605r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6036
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid fail protection must be set to a suitable value. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or that it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions.

Fix Text

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and set the value for Failure Interval to 5.

Check Content

1. Open the IIS Manager. 2. Click the Application Pools. 3. Highlight an Application Pool to review and click Advanced Settings in the Actions Pane. 4. Scroll down to the Rapid Fail Protection section and ensure the value for Failure Interval is set to 5. If not, this is a finding. NOTE: If the site has operational reasons to set Failure Interval to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

Removed

V-13713

A unique non-privileged account must be used to run Worker Process Identities.

Finding ID
WA000-WI6040 IIS6
Rule ID
SV-38046r1_rule
Severity
Cat I
CCE
(None)
Group Title
WA000-WI6040
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each Application Pool better track issues occurring within each web site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.

Fix Text

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab. 2. Enter the desired account information. 3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups. 4. Ensure the account is a member of the IIS_WPG group and does not have membership to the Administrators group.

Check Content

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab. 2. Identify the account used to run the process identities. 3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups. 4. The account should be in the IIS_WPG group and not have membership to the Administrators group. If the account used to run the Worker Process Identities is also an Administrator, this is a finding. If the account is set to LocalSystem, this is a finding. NOTE: The "Local Service" or "Network Service" built in accounts are not privileged accounts and would not be a finding. NOTE: This check may be reported as a False Positive by the Gold Disk so a manual verification is recommended if this is an open finding. If this is reported as not a finding, no further checking is necessary.

Responsibility

Web Administrator

Removed

V-13714

The AllowRestrictedChars registry key must be disabled.

Finding ID
WA000-WI6080 IIS6
Rule ID
SV-38160r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6080
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

IIS6 Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. If the AllowRestrictedChars key is set to a nonzero value, Http.sys accepts hex-escaped chars in request URLs that decode to U+0000 – U+001F and U+007F – U+009F ranges. If this capability is enabled it allows malicious characters to be hex-encoded by an attacker in an attempt to bypass input validation routines.

Fix Text

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the AllowRestrictedChars key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.

Check Content

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the AllowRestrictedChars key is set to REG_DWORD 0. If the registry key is not set to 0 or does not exist, this is a finding.

Responsibility

Web Administrator

Removed

V-13715

The EnableNonUTF8 registry key must be disabled.

Finding ID
WA000-WI6082 IIS6
Rule ID
SV-38161r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6082
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The EnableNonUTF8 registry key expands the amount of character types the web server accepts. Hackers can use this capability to submit content in a URL that can execute in the CPU by means of a buffer overflow.

Fix Text

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the EnableNonUTF8 key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.

Check Content

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters EnableNonUTF8. 3. Ensure the value for the EnableNonUTF8 key is REG_DWORD 0. If the registry key is not set to 0 or does not exist, this is a finding.

Responsibility

Web Administrator

Removed

V-13716

The FavorUTF8 registry key must be set properly.

Finding ID
WA000-WI6084 IIS6
Rule ID
SV-38162r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6084
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any other encoding. Overlong encoding forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done. To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.

Fix Text

Use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Set the " FavorUTF8" key to REG_DWORD 1, add the key if it does not exist.

Check Content

To verify this setting, use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters FavorUTF8 REG_DWORD 1 If the registry value is not set to 1, this is a finding. NOTE: If check WA000-WI6082 is set correctly to 0, this registry key is optional and would not be a finding if it is not present.

Responsibility

Web Administrator

Removed

V-13717

The MaxFieldLength registry entry must be set properly.

Finding ID
WA000-WI6086 IIS6
Rule ID
SV-38163r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6086
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size of any individual HTTP client request. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. Setting this value to high, when the application does not require it to operate, may cause performance problems as well as Denial of Service issues for the web server.

Fix Text

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the MaxFieldLength key to REG_DWORD 16384 (or less) or add the key and set it to REG_DWORD 16384.

Check Content

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxFieldLength key is REG_DWORD 16384 (or less). If the registry value is not set to 16384 (or less) or missing, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Responsibility

Web Administrator

Removed

V-13718

The MaxRequestBytes registry entry must be set properly.

Finding ID
WA000-WI6088 IIS6
Rule ID
SV-38164r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6088
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The MaxRequestBytes registry key determines the upper limit for the total size of the HTTP request line and headers. If this value is set too high, performance or Denial of Service conditions may appear.

Fix Text

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the MaxRequestBytes key to REG_DWORD 16384 (or less) or add the key and set it to REG_DWORD 16384.

Check Content

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxRequestBytes key is set to REG_DWORD 16384 (or less). If the registry key is not set to 16384 (or less) or is missing, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Responsibility

Web Administrator

Removed

V-13719

The UrlSegmentMaxLength registry entry must be set properly.

Finding ID
WA000-WI6090 IIS6
Rule ID
SV-38165r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6090
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxLength key sets the maximum number of characters in a URL path segment (the area between the slashes in the URL). Setting this value too large may cause performance or a Denial of Service condition on the web server.

Fix Text

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxLength key to REG_DWORD 260 (or less) or add the key and set it to REG_DWORD 260.

Check Content

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UrlSegmentMaxLength key is set to REG_DWORD 260 (or less). If the registry key is not set to 260 (or less) or is missing, this is a finding.

Responsibility

Web Administrator

Removed

V-13720

The PercentUAllowed registry entry must be set properly.

Finding ID
WA000-WI6092 IIS6
Rule ID
SV-38166r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6092
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The PercentUAllowed key allows the web server to accept Unicode character syntax via ASCII (i.e., through the URL). Allowing this type of notation, opens the web server to encoding attacks.

Fix Text

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the PercentUAllowed key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.

Check Content

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the PercentUAllowed key is set to REG_DWORD 0. If the registry value is not set to 0 or is missing, this is a finding.

Responsibility

Web Administrator

Removed

V-13721

The UriMaxUriBytes registry entry must be set properly.

Finding ID
WA000-WI6094 IIS6
Rule ID
SV-38167r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6094
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UriMaxUriBytes key is used to set size limits on what is cached in the kernel response cache. Setting this value to large may cause performance or Denial of Service conditions on the web server.

Fix Text

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UriMaxUriBytes key to REG_DWORD 262144 or add the key and set it to REG_DWORD 262144.

Check Content

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UriMaxUriBytes key is set to REG_DWORD 262144 (or less). If the registry value is not set to 262144 (or less) or is missing, this is a finding.

Responsibility

Web Administrator

Removed

V-13722

The UrlSegmentMaxCount registry entry must be set properly.

Finding ID
WA000-WI6096 IIS6
Rule ID
SV-38168r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6096
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxCount value determines the maximum number of URL path segments accepted by the server. It effectively limits the number of slashes that can be included by the user in a request URL. It is recommended to set fairly stringent limits on this value based on the depth of the web document root tree to protect the server from a file system traversal attack.

Fix Text

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxCount key to REG_DWORD 255 (or less) or add the key and set it to REG_DWORD 255.

Check Content

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxCount key is set to REG_DWORD 255 (or less). If the registry value is not set to 255 (or less) or is missing, this is a finding.

Responsibility

Web Administrator

Removed

V-13723

The MaxRequestEntityAllowed metabase value must be defined.

Finding ID
WA000-WI6098 IIS6
Rule ID
SV-38047r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6098
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool. The MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.

Fix Text

1. From the CLI navigate to the location of the adsutil.vbs script. 2. Enter the following: adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000 3. Press Enter. 4. Restart IIS. NOTE: You may have to put cscript in front of the command adsutil.vbs (i.e. cscript adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000).

Check Content

1. Open the MBSchema.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 2. Press CNTRL+F > Enter “MaxRequestEntityAllowed” > Select the Find Next button. 3. Ensure the Attributes attribute is set to INHERIT. 4. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 5. Press CNTRL+F > Enter Location= ‘’/LM/W3SVC’’ > Select Find Next. 6. In the search box now enter MaxRequestEntityAllowed > Check Match whole word only & Match case > Press Find Next. 7. Ensure the MaxRequestEntityAllowed attribute is present within the /LM/W3SVC key and set to 30000000 or less. If the MaxRequestEntityAllowed attribute is not set to INHERIT, this is a finding. If the MaxRequestEntityAllowed attribute is not found, this is a finding. If the MaxRequestEntityAllowed attribute is not found within the /LM/W3SVC key, this is a finding. If it is found and has a value greater than 30000000, this is a finding. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as not a finding.

Responsibility

Web Administrator

Removed

V-13724

The httpd.conf Timeout directive is not set properly.

Finding ID
WA000-WWA020
Rule ID
SV-14334r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA020
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system.

Fix Text

Edit the httpd.conf file and set the value of "Timeout" to 300 seconds or less.

Check Content

To view the Timeout value enter the following command: grep "Timeout" /usr/local/apache2/conf/httpd.conf. Verify the value is 300 or less if not, this is a finding. Note:If the directive does not exist, this is not a finding because it will default to 300. It is recommended that the directive be explicitly set to prevent unexpected results should the defaults for any reason be changed (i.e. software update).

Responsibility

Web Administrator

Removed

V-13725

The httpd.conf KeepAlive directive is not enabled.

Finding ID
WA000-WWA022
Rule ID
SV-14335r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA022
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The Keep-Alive extension to HTTP/1.0 and the persistent connection feature of HTTP/1.1 provide long-lived HTTP sessions which allow multiple requests to be sent over the same TCP connection. In some cases this has been shown to result in an almost 50% speedup in latency times for HTML documents with many images. To enable Keep-Alive connections, set KeepAlive On. For HTTP/1.0 clients, Keep-Alive connections will only be used if they are specifically requested by a client. In addition, a Keep-Alive connection with an HTTP/1.0 client can only be used when the length of the content is known in advance. This implies that dynamic content such as CGI output, SSI pages, and server-generated directory listings will generally not use Keep-Alive connections to HTTP/1.0 clients. For HTTP/1.1 clients, persistent connections are the default unless otherwise specified. If the client requests it, chunked encoding will be used in order to send content of unknown length over persistent connections.

Fix Text

Edit the httpd.conf file and set the value of "KeepAlive" to "On"

Check Content

To view the KeepAlive value enter the following command: grep "KeepAlive" /usr/local/apache2/conf/httpd.conf. Verify the Value of KeepAlive is set to “On” If not, this is a finding. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for not using persistent connections. If the site has this documentation, this should be marked as Not a Finding.

Responsibility

Web Administrator

Removed

V-13726

The httpd.conf KeepAliveTimeout directive is set to unlimited.

Finding ID
WA000-WWA024
Rule ID
SV-14336r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA024
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies. Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.

Fix Text

Edit the httpd.conf file and set the value of KeepAliveTimeout to the value of 15 or less.

Check Content

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: KeepAliveTimeout The value needs to be 15 or less If the directive is set improperly, this is a finding. If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software. NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding.

Responsibility

Web Administrator

Removed

V-13727

The httpd.conf StartServers directive is not set properly.

Finding ID
WA000-WWA026
Rule ID
SV-14337r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA026
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The StartServers directive sets the number of child server processes created on startup. As the number of processes is dynamically controlled depending on the load, there is usually little reason to adjust this parameter. The default value differs from MPM to MPM. For worker the default is StartServers 3. For prefork defaults to 5 and for mpmt_os2 to 2.

Fix Text

Open the httpd.conf file with an editor and search for the following directive: StartServer Set the directive to a value between 5 and 10, add the directive if it does not exist. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

Check Content

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: StartServers The value needs to be between 5 and 10 If the directive is set improperly, this is a finding. If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased or decreased value. If the site has this documentation, this should be marked as Not a Finding.

Responsibility

Web Administrator

Removed

V-13728

The httpd.conf MinSpareServers directive is not set properly.

Finding ID
WA000-WWA028
Rule ID
SV-14338r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA028
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The MinSpareServers directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer than MinSpareServers idle, then the parent process creates new children at a maximum rate of 1 per second. Tuning of this parameter should only be necessary on very busy sites. Setting this parameter to a large number is almost always a bad idea.

Fix Text

Open the httpd.conf file with an editor and search for the following directive: MinSpareServers Set the directive to a value of between 5 and 10, add the directive if it does not exist. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

Check Content

Open the httpd.conf file with an editor and search for the following directive: MinSpareServers The value needs to be between 5 and 10 If the directive is set improperly, this is a finding. If the directive is not found, you will need to review the httpd.conf file to see if there are other .conf files that are included of "linked" to the httpd.conf. The other conf files may contain these directives. If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased or decreased value. If the site has this documentation, this should be marked as Not a Finding.

Responsibility

Web Administrator

IA Controls

ECSC-1

Removed

V-13729

The httpd.conf MaxSpareServers directive is not set properly.

Finding ID
WA000-WWA030
Rule ID
SV-14339r1_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WWA030
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org:The MaxSpareServers directive sets the desired maximum number of idle child server processes. An idle process is one which is not handling a request. If there are more than MaxSpareServers idle, then the parent process will kill off the excess processes. Tuning of this parameter should only be necessary on very busy sites. Setting this parameter to a large number is almost always a bad idea. If you are trying to set the value equal to or lower than MinSpareServers, Apache will automatically adjust it to MinSpareServers + 1.

Fix Text

Open the httpd.conf file with an editor and search for the following directive: MaxSpareServers Set the directive to a value of 10 or less, add the directive if it does not exist. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

Check Content

Open the httpd.conf file with an editor and search for the following directive: MaxSpareServers The value needs to be 10 or less If the directive is set improperly, this is a finding. If the directive is not found, you will need to review the httpd.conf file to see if there are other .conf files that are included of "linked" to the httpd.conf. The other conf files may contain these directives. If the directive does not exist, this is NOT a finding because it will default to 10. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding.

Responsibility

Web Administrator

IA Controls

ECSC-1

Removed

V-13730

The httpd.conf MaxClients directive is not set properly.

Finding ID
WA000-WWA032
Rule ID
SV-14340r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA032
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced. For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit. For threaded and hybrid servers (e.g. beos or worker) MaxClients restricts the total number of threads that will be available to serve clients. The default value for beos is 50. For hybrid MPMs the default value is 16 (ServerLimit) multiplied by the value of 25 (ThreadsPerChild). Therefore, to increase MaxClients to a value that requires more than 16 processes, you must also raise ServerLimit.

Fix Text

Open the httpd.conf file with an editor and search for the following directive: MaxClients Set the directive to a value of 256 or less, add the directive if it does not exist. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

Check Content

Open the httpd.conf file with an editor and search for the following directive: MaxClients The value needs to be 256 or less If the directive is set improperly, this is a finding. If the directive does not exist, this is NOT a finding because it will default to 256. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding.

Responsibility

Web Administrator

Removed

V-13731

The CGI-Bin directory or the directory that maintains CGI scripts is not the only directory to have the ExecCGI directive applied. .

Finding ID
WA000-WWA050
Rule ID
SV-14341r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA050
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The Options directive controls which server features are available in a particular directory. The ExecCGI option controls the execution of CGI scripts using mod_cgi. This needs to be restricted to only the directory intended for script execution.

Fix Text

Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias or other Script* directives. Remove the printenv default CGI in cgi-bin directory if it is installed. rm $APACHE_PREFIX/cgi-bin/printenv Remove the test-cgi file from the cgi-bin directory if it is installed. rm $APACHE_PREFIX/cgi-bin/test-cgi Review and remove any other cgi-bin files which are not needed for business purposes.

Check Content

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: <Directory Then review the Options statement for the following value: ExecCGI If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding. If the value does not exist, this would be a finding unless the Options statement has the "None" option. Please be sure to check for all occurrences of the Directory directive for the presence of the ExecCGI value. If this enabled on any of these, this would be a finding. NOTE: If the value is found on an options statement within the Directory directive, and this is a directory used for interactive scripts (CGI), this is not a finding.

Responsibility

Web Administrator

Removed

V-13732

The” –FollowSymLinks” directive is not used on all data directories.

Finding ID
WA000-WWA052
Rule ID
SV-14342r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA052
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The server will follow symbolic links in this directory if the FollowSymLinks is permitted.

Fix Text

Edit the httpd.conf file and set the value of FollowSymLinks to -FollowSymLinks.

Check Content

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: <Directory Then review the Options statement for the following value: FollowSymLinks If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding. If the value does not exist, this would be a finding unless the Options statement has the "None" option. Please be sure to check for all occurrences of the Directory directive for the presence of the FollowSymLinks value. If this enabled on any of these, this would be a finding.

Responsibility

Web Administrator

Removed

V-13733

The ”IncludesNOEXEC” directive is not enabled on any directory that maintains Server Side Includes.

Finding ID
WA000-WWA054
Rule ID
SV-14343r1_rule
Severity
Cat I
CCE
(None)
Group Title
WA000-WWA054
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The "IncludesNOEXEC" option allows Server-side includes, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories.

Fix Text

Edit the httpd.conf file and add one of the following to the enabled Options directive +IncludesNoExec, -IncludesNoExec, or -Includes. Remove the ‘Includes’ or ‘+Includes’ setting from the options statement.

Check Content

To view the Options value enter the following command: grep "Options" /usr/local/apache2/conf/httpd.conf Review all uncommented Options statements for the following values: +IncludesNoExec, -IncludesNoExec, or -Includes If these values don’t exist this is a finding. Note: if the enabled Options statement is set to “None” this check is N/A.

Responsibility

Web Administrator

Removed

V-13734

The MultiViews directive is used.

Finding ID
WA000-WWA056
Rule ID
SV-14344r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA056
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. From Apache.org: MultiViews is a per-directory option, meaning it can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf, or (if AllowOverride is properly set) in .htaccess files. Note that Options All does not set MultiViews; you have to ask for it by name. The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements. MultiViews may also apply to searches for the file named by the DirectoryIndex directive, if the server is trying to index a directory. If the configuration files specify DirectoryIndex index then the server will arbitrate between index.html and index.html3 if both are present. If neither are present, and index.cgi is there, the server will run it. If one of the files found when reading the directory does not have an extension recognized by mod_mime to designate its Charset, Content-Type, Language, or Encoding, then the result depends on the setting of the MultiViewsMatch directive. This directive determines whether handlers, filters, and other extension types can participate in MultiViews negotiation.

Fix Text

Edit the httpd.conf file and add the "-" to the MultiViews setting, or set the options directive to None.

Check Content

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: <Directory Then review the Options statement for the following value: MultiViews If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding. If the value does not exist, this would be a finding unless the Options statement has the "None" option. Please be sure to check for all occurrences of the Directory directive for the presence of the MultiViews value. If this enabled on any of these, this would be a finding.

Responsibility

Web Administrator

Removed

V-13735

The” -Indexes” directive is not used on all data directories not containing a default index page unless the mod_autoindex module is disabled.

Finding ID
WA000-WWA058
Rule ID
SV-14345r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA058
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. If a URL which maps to a directory is requested, and there is no DirectoryIndex (e.g., index.html) in that directory, then mod_autoindex will return a formatted listing of the directory which is not acceptable.

Fix Text

Edit the httpd.conf file and add an "-" to the Indexes setting, or set the options directive to None.

Check Content

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: <Directory Then review the Options statement for the following value: Indexes If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding. If the value does not exist, this would be a finding unless the Options statement has the "None" option. Please be sure to check for all occurrences of the Directory directive for the presence of the Indexes value. If this enabled on any of these, this would be a finding.

Responsibility

Web Administrator

Removed

V-13736

The httpd.conf LimitRequestBody directive is set to unlimited.

Finding ID
WA000-WWA060
Rule ID
SV-14346r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA060
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite system memory. Subsequently an attacker may be able to elevate privileges and take control of the server. The Apache directives listed below limit the size of the various HTTP header sizes thereby limiting the chances for a buffer overflow. From Apache.org: The LimitRequestBody directive allows the user to set a limit on the allowed size of an HTTP request message body within the context in which the directive is given (server, per-directory, per-file or per-location). If the client request exceeds that limit, the server will return an error response instead of servicing the request. The size of a normal request message body will vary greatly depending on the nature of the resource and the methods allowed on that resource. CGI scripts typically use the message body for retrieving form information. Implementations of the PUT method will require a value at least as large as any representation that the server wishes to accept for that resource. This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.

Fix Text

Edit the httpd.conf file and specify a size for the LimitRequestBody directive.

Check Content

To view the LimitRequestBody value enter the following command: grep "LimitRequestBody" /usr/local/apache2/conf/httpd.conf If the value of LimitRequestBody is not set to 1 or greater or does not exist, then this is a finding. Note: The default value is set to unlimited. It is recommended that the directive be explicitly set to prevent unexpected results should the defaults change with updated software.

Responsibility

Web Administrator

Removed

V-13737

The httpd.conf LimitRequestFields directive is set to unlimited.

Finding ID
WA000-WWA062
Rule ID
SV-14347r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA062
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite system memory. Subsequently an attacker may be able to elevate privileges and take control of the server. The Apache directives listed below limit the size of the various HTTP header sizes thereby limiting the chances for a buffer overflow. From Apache.org: Number is an integer from 0 (meaning unlimited) to 32767. The default value is defined by the compile-time constant DEFAULT_LIMIT_REQUEST_FIELDS (100 as distributed). The LimitRequestFields directive allows the server administrator to modify the limit on the number of request header fields allowed in an HTTP request. A server needs this value to be larger than the number of fields that a normal client request might include. The number of request header fields used by a client rarely exceeds 20, but this may vary among different client implementations, often depending upon the extent to which a user has configured their browser to support detailed content negotiation. Optional HTTP extensions are often expressed using request header fields. This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks. The value should be increased if normal clients see an error response from the server that indicates too many fields were sent in the request.

Fix Text

Edit the httpd.conf file and set LimitRequestFields Directive to a value greater than 0.

Check Content

To view the LimitRequestFields value enter the following command: grep "LimitRequestFields" /usr/local/apache2/conf/httpd.conf If the value of LimitRequestFields is not set to 1 or greater or does not exist, then this is a finding. Note: It is recommended that the directive be explicitly set to prevent unexpected results should the defaults change with updated software.

Responsibility

Web Administrator

Removed

V-13738

The httpd.conf LimitRequestFieldsize directive is set to unlimited.

Finding ID
WA000-WWA064
Rule ID
SV-14348r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA064
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite system memory. Subsequently an attacker may be able to elevate privileges and take control of the server. The Apache directives listed below limit the size of the various HTTP header sizes thereby limiting the chances for a buffer overflow. From Apache.org: This directive specifies the number of bytes that will be allowed in an HTTP request header. The LimitRequestFieldSize directive allows the server administrator to reduce or increase the limit on the allowed size of an HTTP request header field. A server needs this value to be large enough to hold any one header field from a normal client request. The size of a normal request header field will vary greatly among different client implementations, often depending upon the extent to which a user has configured their browser to support detailed content negotiation. SPNEGO authentication headers can be up to 12392 bytes. This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.

Fix Text

Edit the httpd.conf file and set LimitRequestFieldSizeBody to 8190 or other approved value.

Check Content

To view the LimitRequestFieldSize value enter the following command: grep "LimitRequestFieldSize" /usr/local/apache2/conf/httpd.conf If the value of LimitRequestFiledSizeBody is not set to 8190, then this is a finding. Note: the default value is 8190.

Responsibility

Web Administrator

Removed

V-13739

The httpd.conf LimitRequestline directive is set to unlimited.

Finding ID
WA000-WWA066
Rule ID
SV-14349r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WWA066
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite system memory. Subsequently an attacker may be able to elevate privileges and take control of the server. The Apache directives listed below limit the size of the various HTTP header sizes thereby limiting the chances for a buffer overflow. From Apache.org: This directive sets the number of bytes that will be allowed on the HTTP request-line. The LimitRequestLine directive allows the server administrator to reduce or increase the limit on the allowed size of a client's HTTP request-line. Since the request-line consists of the HTTP method, URI, and protocol version, the LimitRequestLine directive places a restriction on the length of a request-URI allowed for a request on the server. A server needs this value to be large enough to hold any of its resource names, including any information that might be passed in the query part of a GET request. This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.

Fix Text

Edit the httpd.conf file and set the LimitRequestLine to 8190 or other approved value.

Check Content

To view the LimitRequestLine value enter the following command: grep "LimitRequestLine" /usr/local/apache2/conf/httpd.conf If the value of LimitRequestLine is not set to 8190, then this is a finding. Note: The default value is 8190.

Responsibility

Web Administrator

Removed

V-15334

Web sites will utilize ports, protocols, and services according to PPSM guidelines.

Finding ID
WG610
Rule ID
SV-16125r1_rule
Severity
Cat III
CCE
(None)
Group Title
WG610
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. The IAM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.

Fix Text

Ensure the web site enforces the use of IANA well-known ports for HTTP and HTTPS.

Check Content

Review the web site to determine if HTTP and HTTPs are used in accordance with well known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. If not, this is a finding.

Responsibility

Information Assurance Officer

Removed

V-2226

Web content directories anonymously shared via a network share.

Finding ID
WG210
Rule ID
SV-2226r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG210
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Such sharing is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems. NIST Guidelines for Securing Public Web Servers (par. 8.6 pg. 75, a principle reference for this document) states “Do not mount any file shares on the internal network from the Web server or vice versa”. The presence of shares is indicative of a remote management solution or a development server. Alternatives to shares are a secure ftp products or related remote admin tools.

Fix Text

Remove the shares from the applicable directories.

Check Content

Move to the %systemroot%\system32\inetsrv\ directory and examine the properties of this directory. Sharing should not be selected Using the Internet Information Services Console, locate the web site being reviewed. Select this web site and right click on it, then select its Properties. When the menu screens appear, select the Home Directory tab. Make a note on the checklist sheet of the path to the web site’s home directory. Administrative shares are not exempt from this requirement. Using Explorer, locate the path identified above. Right click on the directory to be examined. Select Properties; Select the “Sharing” tab. If the "Do not share this folder" is not selected, this is a finding. Navigate to the "Web Sharing" tab, select the web site you are reviewing from the pull down menu. The "Share this folder" can be selected, and will be in most cases if the web site is readable. The following entry could be present in the list: "/" If the web site is readable, the above entry will be in the list and is acceptable and should not be marked as a finding. If there are any other aliases in the list, this is a finding. Note: In the case of a storage area network or file storage network, where partitions on the storage device are dedicated to a front end /back end web services, the additional partitions will be mapped to the correct file storage network partition in the web server configuration. This can apply to both web content and web scripts. NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the IAM/IAO, the shares are restricted to only allow administrators write access, the use of the shares does not bypass the sites approval process for posting new content to the web server, and Developers are only permitted read access to these directories.

Responsibility

System Administrator

Removed

V-2228

The CGI script directory has improper access controls.

Finding ID
WG400
Rule ID
SV-6927r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG400
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager take specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices. Apache: suexec must be enabled to ensure that scripts run in the proper context.

Fix Text

Ensure the CGI (or equivalent i.e. scripts) directory has access controls IAW the WEB Services STIG.

Check Content

Windows uses command.com as the default shell and will execute .bat and .exe files. NTFS permissions are: WebUser account (i.e webuser or nobody) – Read and Execute Security is enhanced with virtual directories because it adds another level of abstraction to the site, altering the way in which Internet users access the information. Only directories that contain information to be published or downloaded should have Read permission set. To prevent clients from downloading executable files or scripts that always contain sensitive information and application logic, these files will be located in separate directories without Read/Write permission. If the CGI script directory has improper access controls this is a finding.

Responsibility

System Administrator

Removed

V-2229

Interactive scripts used on a web server will have proper access controls.

Finding ID
WG410
Rule ID
SV-2229r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG410
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network. Clarification: This vulnerability, which is related to VMS vulnerability V-2228, requires that appropriate access permissions are applied to CGI files.

Fix Text

Ensure the CGI scripts are owned by a privileged account and not the non-privileged account running the web site. Ensure the anonymous web user account and the web service account running the web site only has Read-Only or Read-Execute permissions to such scripts.

Check Content

Query the SA to determine if CGI scripts are used on the server. If CGI programs are being used, check the permissions of these files to ensure they are not owned by the non-privileged account running the web server and have proper access controls. If the CGI programs are owned by the web server account, this is a finding. The directory used to store .asp or .jsp files in Windows is generally the Scripts directory. This directory should be virtualized. Permissions granted to web users accessing the scripts directory and its content files should be the most restrictive possible. Since read authority allows a user to download and potentially view a file, access permission to the script files should be limited to script execution. However, if read authority is necessary, powerful scripts such as those used to administratively maintain a web site, or those scripts containing sensitive information, should be segregated into a directory that is inaccessible to the general user population. Under no condition should web users be granted write authority to either a script directory or a script file. Additionally, the non-privileged account used to run the web site should have its permission limited to execute or read-execute.

Responsibility

Web Administrator

Removed

V-2230

Backup interactive scripts on the production web server are prohibited.

Finding ID
WG420
Rule ID
SV-2230r1_rule
Severity
Cat III
CCE
(None)
Group Title
WG420
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them. Backup copies of files are automatically created by some text editors such as emacs and edit plus. The emacs editor will write a backup file with an extension ~ added to the name of the original file. The edit plus editor will create a .bak file. Of course, this would imply the presence and use of development tools on the web server, which is a finding under WG130. Having backup scripts on the web server provides one more opportunity for malicious persons to view these scripts and use the information found in them.

Fix Text

Ensure that CGI backup scripts are not left on the production web server.

Check Content

This check is limited to CGI/interactive content and not static HTML. Search the IIS Root and Site Directories for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or ‘copy of...’. If files with these extensions are found, this is a finding.

Responsibility

System Administrator

Removed

V-2232

The web server service password(s) must be entrusted to the SA or Web Manager.

Finding ID
WG050 W22
Rule ID
SV-33048r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG050
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to the web server to restart the service in the event of an emergency as the web server is not to restart automatically after an unscheduled interruption. If the password is not entrusted to an SA or web manager the ability to ensure the availability of the web server is compromised.

Fix Text

Ensure the SA or Web Manager is entrusted with the web service(s) password.

Check Content

The reviewer should make a note of the name of the account being used for the web service. There may also be other server services running related to the web server in support of a particular web application, these passwords must be entrusted to the SA or Web Manager as well. Query the SA or Web Manager to determine if they have the web service password(s). If the web services password(s) are not entrusted to the SA or Web Manager, this is a finding. NOTE: For installations that use the LocalService or NetworkService accounts, the password is OS generated, so the SA or Web Manager having an Admin account on the system would meet the intent of this check.

Responsibility

System Administrator

Removed

V-2240

The number of allowed simultaneous requests will be limited for web sites.

Finding ID
WG110
Rule ID
SV-2240r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG110
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive).

Fix Text

Edit the httpd.conf file and set the MaxKeepAliveRequests directive to 100 or greater.

Check Content

To view the MaxKeepAliveRequests value enter the following command: grep "MaxKeepAliveRequests" /usr/local/apache2/conf/httpd.conf If the value of MaxKeepAliveRequests is not set to 100 or greater, then this is a finding. Note: The default value is 100

Responsibility

Web Administrator

Removed

V-2245

Each readable web document directory will contain either default, home, index, or equivalent file.

Finding ID
WG170
Rule ID
SV-2245r1_rule
Severity
Cat III
CCE
(None)
Group Title
WG170
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure that the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.

Fix Text

Add an default document to the applicable directories.

Check Content

To view the DocumentRoot value enter the following command: grep "DocumentRoot" /usr/local/apache2/conf/httpd.conf Note the location following the DocumentRoot string, this is the path to the document root directory. Browse to the document root directory and any sub directories. If a directory does not contain a default document, then this is a finding.

Responsibility

Web Administrator

Removed

V-2249

Web server administration will be performed over a secure path or at the console.

Finding ID
WG230
Rule ID
SV-2249r1_rule
Severity
Cat I
CCE
(None)
Group Title
WG230
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A secure shell service or HTTPS need to be installed and in use for these purposes. Another alternative is to administer the web server from the console, which implies physical access to the server.

Fix Text

Ensure the web server's administration is only performed over a secure path.

Check Content

Verify that some variety of SSH is running on the web server platform. Check for an SSH daemon, querying the SA and web manager, and use the following command: Select START, Programs and look for Reflection for Secure IT or equivalent program. Some versions of Windows compatible SSH are Reflection for Secure IT, SecureCRT, NT sshd, and Tera Term with TTSSH. NOTE: If all administration is done via the server console, this is not a finding. If web server administration is being done remotely without a secure connection, this is finding.

Responsibility

System Administrator

Removed

V-2250

Logs of web server access and errors will be established and maintained

Finding ID
WG240
Rule ID
SV-2250r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG240
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Without these log files, SAs and web managers are seriously hindered in their efforts to respond appropriately to suspicious or criminal actions targeted at the web site.

Fix Text

Edit the httpd.conf file and add the following to configure logging. <IfModule log_config_module>

Check Content

To view a list of loaded modules enter the following command: /usr/local/apache2/bin/httpd -M If the following module is not found, then this is a finding: "log_config_module"

Responsibility

System Administrator

Removed

V-2252

Users other than from the Auditors group have greater than read access to log files.

Finding ID
WG250
Rule ID
SV-30016r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG250
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the integrity of the log files and protect the SA and web manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.

Fix Text

Ensure only the Auditors group has greater than read access to log files.

Check Content

Query the SA to determine who has update access to the web server log files. If any of the accounts that have greater than read access to the log file are not a part of the identified Auditors group, then this is a finding. NOTE: The group does not have to have the name Auditors, but the site will need to identify the group that contains the auditors. To determine the settings: Start >> Programs >> Administrative Tools >> Internet Services Manager >> Select Website to view properties >> Web Site Tab >> Properties >> General Logging Properties provides the location of the log files. After locating the logs, use the Windows Explorer to move to these files and examine their properties. Properties >> Security >> Permissions. Permissions greater than Read, Execute should be noted for only the System and the Auditors Group. If the SA, Web Manager or users other than the Auditors group have greater than read access to the log files, this is a finding.

Responsibility

System Administrator

Removed

V-2254

Only web sites that have been fully reviewed and tested will exist on a production web server.

Finding ID
WG260
Rule ID
SV-2254r3_rule
Severity
Cat II
CCE
(None)
Group Title
WG260
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable.

Fix Text

The presences of portions of the web site that proclaim Under Construction or Under Development are clear indications that a production web server is being used for development. The web administrator will ensure that all pages that are in development are not installed on a production web server.

Check Content

Query the ISSO, the SA, and the web administrator to find out if development web sites are being housed on production web servers. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? The reviewer can also do a manual check or perform a navigation of the web site via a browser could be used to confirm the information provided from interviewing the web staff. Graphics or texts which proclaim Under Construction or Under Development are frequently used to mark folders or directories in that status. If Under Construction or Under Development web content is discovered on the production web server, this is a finding.

Responsibility

Web Administrator

Removed

V-2255

The web server’s htpasswd files (if present) will reflect proper ownership and permissions

Finding ID
WG270 W13
Rule ID
SV-2255r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG270
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule can be specified that allows or denies partial access rights. For example, users can be given read-only access rights to files, to view the information but not change the files. This check verifies that the htpasswd file is only accessible by system administrators or web managers, with the account running the web service having group permissions of read and execute. htpasswd is a utility used by Netscape and Apache to provide for password access to designated web sites. I

Fix Text

The SA or Web Manager account should own the htpasswd file and permissions should be set to 550.

Check Content

To locate the htpasswd file enter the following command: Find / -name htpasswd Permissions should be r-x r - x - - - (550) If permissions on htpasswd are greater than 550, this is a finding. Owner should be the SA or Web Manager account, if another account has access to this file, this is a finding.

Responsibility

System Administrator

Removed

V-2256

The access control files are owned by a privileged web server account.

Finding ID
WG280
Rule ID
SV-2256r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG280
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

This check verifies that the key web server system configuration files are owned by the SA or by the web administrator controlled account. These same files which control the configuration of the web server and, thus, its behavior must also be accessible by the account that runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

Fix Text

Ensure that the owner is a privileged account and not the web server account or equivalent which runs the web service.

Check Content

Query the SA or the web administrator to determine if an access control file is used by the web server and to obtain the name and location of those files. Verify the permissions on these files. If .htaccess or the .htaccess.html files are in use, the SA or the web administrator account may have Full Control and the non-privileged web server account running the web service should have read and execute permissions. If entries other than administrators, the web administrator accounts, or the system for any degree of access are present, this is a finding.

Responsibility

System Administrator

Removed

V-2258

The web client account access to the content and scripts directories will be limited to read and execute.

Finding ID
WG290
Rule ID
SV-2258r1_rule
Severity
Cat I
CCE
(None)
Group Title
WG290
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.

Fix Text

Limit web client account access to the web content and scripts directories to read and execute (or script in the case of IIS). Furthermore, ensure this account has no access to the operating system files and resources, which are to be located on a separate drive or partition.

Check Content

Determine the web client account (anonymous account) for the web server software that is installed. For the web content and script directories, determine the permission for the web client account. Permissions for this account should be read and execute or more restrictive. If the web client account access to the content and scripts directories is not limited to read and execute, this is a finding. If the Microsoft ‘everyone’ account or the UNIX ‘world’ user has full access to these directories, this is a finding. Permissions for ‘everyone’ and the UNIX world user will be as restricted as possible.

Responsibility

System Administrator

Removed

V-2260

A private web server will not respond to requests from public search engines.

Finding ID
WG310
Rule ID
SV-2260r1_rule
Severity
Cat III
CCE
(None)
Group Title
WG310
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web site content. In turn, these search engines make the content they obtain and catalog available to any public web user. Such information in the public domain defeats the purpose of a Limited or Certificate-based web server, provides information to those not authorized access to the web site, and could provide clues of the site’s architecture to malicious parties.

Fix Text

Establish a means to restrict search engines on the private web site.

Check Content

Interview the SA to determine what type of restriction from public search engines are in place. If no means of restriction is in place (e.g. userid and password, domain or IP restriction, user PKI certificate), or a robots.txt file is not in use, this is finding. If a robots.txt files is used it must contain the following lines, if not then this is a finding. User-agent: * Disallow: /

Responsibility

Web Administrator

Removed

V-2262

A private web server will utilize TLS v 1.0 or greater.

Finding ID
WG340
Rule ID
SV-2262r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG340
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Transport Layer Security (TLS) encryption is a required security setting for a private web server. This check precludes the possibility that a valid certificate has been obtained, but TLS has not been activated or is not being used. Transactions encrypted with trusted certificates are necessary when the information being transferred is not intended to be accessed by all parties on the network. To the extent that this standard applies, this check is valid for the SIPRNet also. FIPS 140-2 compliance includes: TLS V1.0 or greater TLS must be enabled, the use of SSL disabled Configuration of required cryptographic modules as specified by NIST

Fix Text

Edit the httpd.conf file and set the SSLProtocol to TLSv1 and the SSLEngine to On.

Check Content

Enter the following command: /usr/local/apache2/bin/httpd –M This will provide a list of all the loaded modules. Verify that the “ssl_module” is loaded. If this module is not found, then this is a finding. After determining that the ssl module is active, enter the following command: grep "SSL" /usr/local/apache2/conf/httpd.conf Review the SSL sections of the httpd.conf file, All enabled SSLProtocol directives must be setto “TLSv1”, If not then this is a finding. All enabled SSLEngine directive must be set to “on”, If not then this a finding. NOTE: In some cases web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the web sites may be installed on the content switch vs, the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the web sites.

Responsibility

Web Administrator

Removed

V-2263

A private web server will have a valid DoD server certificate.

Finding ID
WG350
Rule ID
SV-2263r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG350
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not for the server (Certificate belongs to), if the certificate is not issued by DoD (Certificate was issued by), or if the current date is not included in the valid date (Certificate is valid from), then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.

Fix Text

Configure the private web site to use a valid DoD certificate.

Check Content

Open a browser window and navigate to the site under review. Double-click the lock icon in order to view the site certificate or, if necessary, click ViewCertificate from the context menu. Select the Details tab in the Certificate dialog window. Left-click the Issuer field and observe its contents. If the certificate was not issued by the DoD then this is a finding.

Responsibility

Web Administrator

Removed

V-2264

Wscript.exe and Cscript.exe are accessible by users other than the SA and the web administrator.

Finding ID
WG470
Rule ID
SV-2264r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG470
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Windows Scripting Host (WSH) is installed under either a Typical or Custom installation option of a Microsoft Network Server. This technology permits the execution of powerful script files from the Windows NT command line. This technology is also classified as a Category I Mobile Code. If the access to these files is not tightly controlled, a malicious user could readily compromise the server by using a form to send input to these scripting engines. This is a web-related vulnerability that could exist on any NT / Win 2000 system regardless of the web server software being used on the platform.

Fix Text

Remove Wscript.exe and Cscript.exe files from the server, or restrict access to these files to the SA, the web administrator, and the system account.

Check Content

Search for instances of Wscript.exe and Cscript.exe. Move to these files, if found, and right-click on them to view their Properties. Permissions should only exist for System, the SA, and the web administrator, who may have Full Control. User accounts with access to these files that are unknown, or unintended, should be removed. If these files have permission for other than the SA, the web administrator, or the system, this is a finding.

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

Removed

V-2267

Unused and vulnerable script mappings in IIS are not removed or set to the 404.dll.

Finding ID
WA000-WI050
Rule ID
SV-2267r1_rule
Severity
Cat I
CCE
(None)
Group Title
WA000-WI050
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll. A widely available exploit exists which allows a malicious user to gain administrative access to Windows NT/Windows 2000 host servers. These mappings have been exploited by malicious users to gain privileged access to web servers.

Fix Text

Remove unused and vulnerable script mappings in the web server configuration from a production web server. The following mappings need to be removed: htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. These can also be disabled by mapping these extensions to the 404.dll. The IIS Lockdown utility can be used to correct this problem.

Check Content

From Internet Servicer Manager>> Select the web site to be examined; select Properties option by right clicking; Select the Home Directory tab. On this menu page, select the Configuration button; then App Mappings Tab. Check for the presence of the following: .htr, .htw, .ida .idc, .idq, .printer, .shtml, .shtm, .stm .bat, .cmd If these script mappings are mapped to the 404.dll this satisfies the requirement. If any of the above listed mappings exist and are not mapped to the 404.dll, this is a finding. NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of particular script mappings. If the site has this documentation, this should be marked as Not a Finding. --------------------

Responsibility

Web Administrator

Removed

V-2268

The IUSR_machinename account has read access to the .inc files or their equivalent.

Finding ID
WA000-WI030
Rule ID
SV-2268r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI030
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. .inc files are the include files for many .asp script files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named thier include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivilent, you do not have this advantage. Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages. In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.

Fix Text

The IUSR_machinename account will not have read access to the .inc files or their equivalent.

Check Content

Using IIS Manager, navigate to the web site you are reviewing, right click and selectt properties. Go to the Home Directory tab, select the Configuration button, then the Mappings tab. Review the following extension to see if they are mapped to the asp.dll: .asa .asax .inc If these extension are mapped to the asp.dll or aspnet_isapi.dll, this would not be a finding and you can stop the check procedure here. If they are not mapped to the asp.dll continue with the following procedure to determine if these files are protected via file permissions. Start >> Search >> Files and Folders >> Search for instances of the following: global.asa global.asax files with the .inc extension. If the files are part of the directories for the web site you are reviewing, move to these files, if found, and right click on them to view their Properties. NOTE: You can check using IIS Manager, to determine which directory is associated with the web site. Web Site properties, Home Directory tab. Read permissions should not exist for the: IUSR_machinename account (the anonymous web user). If the IUSR_machinename account has read access to the global.asa, global.asax, or .inc files, and these extensions are not mapped to the asp.dll (see procedure at the top), this is a finding. --------------------

Responsibility

Web Administrator

Removed

V-2270

Anonymous FTP user access to interactive scripts is prohibited.

Finding ID
WG430 W13
Rule ID
SV-2270r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG430
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.

Fix Text

If the CGI, the cgi-bin, or the cgi-shl directories can be accessed via FTP by any group or user that does not require access, remove permissions to such directories for all but the web administrators and the SAs. Ensure that any such access employs an encrypted connection.

Check Content

Locate the directories containing the CGI scripts. These directories should be language-specific (e.g., PERL, ASP, JS, JSP, etc.). Using ls –al, examine the file permissions on the CGI, the cgi-bin, and the cgi-shl directories. Anonymous FTP users must not have access to these directories. If the CGI, the cgi-bin, or the cgi-shl directories can be accessed by any group that does not require access, this is a finding.

Responsibility

System Administrator

Removed

V-2272

PERL scripts must use the TAINT option.

Finding ID
WG460
Rule ID
SV-2272r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG460
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message. It is vital that if PERL is being used, the following line appear in the first line of PERL scripts: #!/usr/local/bin/perl –T

Fix Text

PERL scripts will include a call to the TAINT option.

Check Content

CGI scripts running on non-UNIX servers typically do not recognize #!/usr/local/bin/perl on the first line of the script. Instead, the web server must be configured to use the TAINT option. For IIS, PERL scripts should run with “taint mode on”. This can be accomplished by creating a second extension under Windows such as .tcgi or .tgi and associate the new extension with the TAINT mode. Then, rename the scripts using the new extension to activate the TAINT mode. For example: .tcgi ? C:\perl\bin\perl.exe -T %s %s If the server is using PERL and scripts do not include a call to the TAINT option, this is a finding. NOTE: This only applies to PERL scripts that are used by the web server. NOTE: Excepting IIS, if the mod_perl module is installed and the directive “PerlTaintCheck on” in the httpd.conf is used, this satisfies the requirement.

Responsibility

Web Administrator

Mitigations

WG460 - General

Mitigation Control

If the TAINT option cannot be used for any reason, this finding can be mitigated by the use of a third-party input validation mechanism or input validation will be included as part of the script in use. This must be documented.

Removed

V-26011

Debug must be turned off on a production website.

Finding ID
WA000-WI6140 IIS7
Rule ID
SV-32662r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI6140
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being display to users.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation 4. Scroll down to the Behavior section and set the value for Debug to False.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click .NET Compilation. 4. Scroll down to the Behavior section and ensure the value for Debug is set to False. If not, this is a finding. NOTE: If the .NET feature is not installed, this check is not applicable.

Responsibility

Web Administrator

Removed

V-26026

The production website must utilize SHA1 encryption for Machine Key.

Finding ID
WA000-WI6180 IIS7
Rule ID
SV-33314r4_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6180
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, forms authentication, membership and roles, and anonymous identification. Ensuring a strong encryption method can mitigate the risk of data tampering in crucial functional areas such as forms authentication cookies or view state.

Fix Text

1. Open the "IIS Manager". 2. Click the site name under review. 3. Double-click the "Machine Key" in the website "Home Pane". 4. Set the "Validation method" to "SHA1".

Check Content

1. Open the "IIS Manager". 2. Click the site name under review. 3. Double-click the "Machine Key" in the website "Home Pane". 4. Ensure "SHA1" is selected for the "Validation method". If not, this is a finding.

Responsibility

Web Administrator

Removed

V-26031

The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients.

Finding ID
WA000-WI6165
Rule ID
SV-32682r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI6165 IIS7
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane; set each error message to “Detailed errors for local requests and custom error pages for remote requests”.

Check Content

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Error Pages icon. 4. Click each error message and click Edit Feature Setting from the Actions Pane. If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.

Responsibility

Web Administrator

Removed

V-26034

The production web-site must configure the Global .NET Trust Level.

Finding ID
WA000-WI6200
Rule ID
SV-46354r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6200
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the ".NET Trust Level" icon. 4. Set the .NET Trust level to "Medium" or less and click "Apply".

Check Content

Note: If the server being reviewed is a non-production website, this is Not Applicable. Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. If compatibility issues with applications require trust level to be less than "Medium", this check can be downgraded to a Cat III with supporting documentation from the Authorizing Official (AO). 1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the ".NET Trust Level" icon. 4. If the .NET Trust level is not set to "Medium" or less, this is a finding.

Responsibility

Web Administrator

Removed

V-26041

The web-site must limit the number of bytes accepted in a request.

Finding ID
WA000-WI6210
Rule ID
SV-32692r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6210
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of bytes the server will accept in a request.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxAllowedContentLength value to 30000000.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxAllowedContentLength value is not set to 30000000, this is a finding. NOTE: If the site has operational reasons to set maxAllowedContentLength to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

Removed

V-26042

The production web-site must limit the MaxURL.

Finding ID
WA000-WI6220
Rule ID
SV-32693r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6220
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The MaxURL Request Filter limits the number of bytes the server will accept in a URL.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the maxURL value to 4096.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the maxURL value is not set to 4096, this is a finding. NOTE: If the site has operational reasons to set maxURL to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

Removed

V-26043

The production web-site must configure the Maximum Query String limit.

Finding ID
WA000-WI6230
Rule ID
SV-32694r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6230
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter describes the upper limit on allowable query string lengths. Upon exceeding the configured value, IIS will generate a Status Code 404.15.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Set the Maximum Query String value to 2048.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the Maximum Query String value is not set to 2048, this is a finding. NOTE: If the site has operational reasons to set Maximum Query String to an alternate value, and has supporting documentation signed by the ISSO, this is not a finding.

Responsibility

Web Administrator

Removed

V-26044

The web-site must not allow non-ASCII characters in URLs.

Finding ID
WA000-WI6240
Rule ID
SV-32695r4_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6240
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow high-bit characters checkbox.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow high-bit characters checkbox is checked, this is a finding. NOTE: If the site has operational reasons to set allow high-bit characters to checked, this vulnerability can be documented locally by the ISSM/ISSO.

Responsibility

Web Administrator

Removed

V-26045

The web-site must not allow double encoded URL requests.

Finding ID
WA000-WI6250
Rule ID
SV-32696r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6250
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. When the allow double escaping option is disabled it prevents attacks that rely on double-encoded requests.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow double escaping checkbox.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If the allow double escaping checkbox is checked, this is a finding.

Responsibility

Web Administrator

Removed

V-26046

The production web-site must filter unlisted file extensions in URL requests.

Finding ID
WA000-WI6260
Rule ID
SV-32697r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6260
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The allow unlisted property of the File Extensions Request Filter enables rejection of requests containing specific file extensions not defined in the File Extensions filter. Tripping this filter will cause IIS to generate a Status Code 404.7.

Fix Text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. 5. Uncheck the allow unlisted file extensions checkbox.

Check Content

For each site reviewed: 1. Open the IIS Manager. 2. Click on the site name. 3. Double-click the Request Filtering icon. 4. Click Edit Feature Settings in the Actions Pane. If allow unlisted file extensions checkbox is checked, this is a finding.

Responsibility

Web Administrator

Removed

V-26279

Error logging must be enabled.

Finding ID
WA00605 W22
Rule ID
SV-33147r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00605
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems.

Fix Text

Edit the httpd.conf file and enter the name and path to the ErrorLog.

Check Content

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: ErrorLog This directive specifies the name and location of the error log, if not found, this is a finding. Note: This check is applicable to every host and virtual host the web server is supporting.

Responsibility

Web Administrator

Removed

V-26280

The sites error logs must log the correct format.

Finding ID
WA00612 W22
Rule ID
SV-33149r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00612
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems.

Fix Text

Edit the configuration file/s and add LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\"" combined

Check Content

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: LogFormat The minimum items to be logged are as shown in the sample below: LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\"" combined Verify the information following the LogFormat directive meets or exceeds the minimum requirement above. If any LogFormat directive does not meet this requirement, this is a finding.

Responsibility

Web Administrator

Removed

V-26281

System logging must be enabled.

Finding ID
WA00615 W22
Rule ID
SV-33151r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA00615
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The mod_log_config module provides for flexible logging of client requests. Logs are written in a customizable format, and may be written directly to a file, or to an external program. Conditional logging is provided so that individual requests may be included or excluded from the logs based on characteristics of the request. Three directives are provided by this module: TransferLog to create a log file, LogFormat to set a custom format, and CustomLog to define a log file and format in one step. The TransferLog and CustomLogdirectives can be used multiple times in each server to cause each request to be logged to multiple files. The server error log, whose name and location is set by the ErrorLog directive, is the most important log file. This is the place where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it.

Fix Text

Edit the httpd.conf file and configure to load the log_config_module. Configure with ErrorLog and CustomLog directives to ensure comprehensive system and access logging.

Check Content

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: LoadModule log_config_module modules/mod_log_config.so If the LoadModule log_config_module directive is commented out or does not exist, this is a finding. Search for both of the following uncommented directives: ErrorLog and CustomLog. If no uncommented directives for both ErrorLog and CustomLog are found, this is a finding. Note: This check is applicable to every host and virtual host the web server is supporting.

Responsibility

Web Administrator

Removed

V-26282

The LogLevel directive must be enabled.

Finding ID
WA00620 W22
Rule ID
SV-33153r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00620
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. While the ErrorLog directive configures the error log file name, the LogLevel directive is used to configure the severity level for the error logs. The log level values are the standard syslog levels: emerg, alert, crit, error, warn, notice, info and debug.

Fix Text

Edit the httpd.conf file and add the value LogLevel warn.

Check Content

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: LogLevel All enabled LogLevel directives should be set to a minimum of “warn”, if not, this is a finding. Note: If LogLevel is set to error, crit, alert, or emerg which are higher thresholds this is not a finding.

Responsibility

Web Administrator

Removed

V-26285

Active software modules must be minimized.

Finding ID
WA00500 W22
Rule ID
SV-33167r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00500
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Modules are the source of Apache httpd servers core and dynamic capabilities. Thus not every module available is needed for operation. Most installations only need a small subset of the modules available. By minimizing the enabled modules to only those that are required, we reduce the number of doors and have therefore reduced the attack surface of the web site. Likewise having fewer modules means less software that could have vulnerabilities.

Fix Text

Disable any modules that are not needed by adding a "#" in front of them within the httpd.conf file, and restarting the Apache httpd service.

Check Content

Open a command prompt window. Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>). Enter the following command and press Enter: httpd –M This will provide a list of the loaded modules. Discuss with the web administrator why all displayed modules are required for operation. If any module is not required for operation, this is a finding. Note: The following modules do not need to be discussed: core_module, win32_module, mpm_winnt_module, http_module, so_module.

Responsibility

Web Administrator

Removed

V-26287

Web Distributed Authoring and Versioning (WebDAV) must be disabled.

Finding ID
WA00505 W22
Rule ID
SV-33169r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA00505
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Apache mod_dav and mod_dav_fs modules support WebDAV ('Web-based Distributed Authoring and Versioning') functionality for Apache. WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server. WebDAV is not widely used, and has serious security concerns as it may allow clients to modify unauthorized files on the web server. Therefore, the WebDav modules mod_dav and mod_dav_fs should be disabled.

Fix Text

Disable all WebDAV modules by adding a "#" in front of them within the httpd.conf file, and restarting the Apache service.

Check Content

Open a command prompt window. Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>). Enter the following command: httpd –M <enter> NOTE: Some installations may be running under apache.exe. In such case, validate by running the following command: apache -M <enter> This will provide a list of all loaded modules. If any of the following modules are found this is a finding: dav_module, dav_fs_module, or dav_lock_module.

Responsibility

Web Administrator

Removed

V-26294

Web server status module must be disabled.

Finding ID
WA00510 W22
Rule ID
SV-33171r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA00510
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module provides current server performance statistics. While having server configuration and status information available as a web page may be convenient, it is recommended that these modules not be enabled: Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc. If mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess) and may have security-related ramifications.

Fix Text

Disable info and status modules by adding a "#" in front of them within the httpd.conf file, and restarting the Apache service.

Check Content

Open a command prompt window. Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>). Enter the following command: httpd –M <enter> NOTE: Some installations may be running under apache.exe. In such case, validate by running the following command: apache -M <enter> This will provide a list of all loaded modules. If any of the following modules are found this is a finding: info_module & status_module.

Responsibility

Web Administrator

Removed

V-26299

The web server must not be configured as a proxy server.

Finding ID
WA00520 W22
Rule ID
SV-33173r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA00520
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Apache proxy modules allow the server to act as a proxy (either forward or reverse proxy) of http and other protocols with additional proxy modules loaded. If the Apache installation is not intended to proxy requests to or from another network then the proxy module should not be loaded. Proxy servers can act as an important security control when properly configured, however a secure proxy server is not within the scope of this STIG. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests is a very common attack, as proxy servers are useful for anonymizing attacks on other servers, or possibly proxying requests into an otherwise protected network.

Fix Text

Disable all proxy modules by adding a "#" in front of them within the httpd.conf file, and restarting the Apache service.

Check Content

Note: If the Apache web server is only performing in a proxy server role and does not host any websites nor support any applications, this check is Not Applicable. Open a command prompt window. Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>). Enter the following command: httpd –M <enter> Note: Some installations may be running under apache.exe. In such case, validate by running the following command: apache -M <enter> This will provide a list of all loaded modules. If any of the following modules are found this is a finding: proxy_module, proxy_ajp_module, proxy_balancer_module, proxy_ftp_module, proxy_http_module, or proxy_connect_module.

Responsibility

Web Administrator

Removed

V-26302

User specific directories must not be globally enabled.

Finding ID
WA00525 W22
Rule ID
SV-33175r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA00525
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also sets the path name of the directory that will be accessed. The user directories should not be globally enabled since it allows anonymous access to anything users may want to share with other users on the network. Also consider that every time a new account is created on the system, there is potentially new content available via the web site.

Fix Text

Disable the userdir_module by adding a "#" in front of it within the httpd.conf file, and restarting the Apache service.

Check Content

Open a command prompt window. Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>). Enter the following command: httpd –M <enter> NOTE: Some installations may be running under apache.exe. In such case, validate by running the following command: apache -M <enter> This will provide a list of all loaded modules. If the following module is found this is a finding: userdir_module.

Responsibility

Web Administrator

Removed

V-26305

The process ID (PID) file must be properly secured.

Finding ID
WA00530 W22
Rule ID
SV-33177r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00530
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The PidFile directive sets the path to the process ID file to which the server records the process ID of the server, which is useful for sending a signal to the server process or for checking on the health of the process. If the PidFile is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a PID file with the same name.

Fix Text

Modify the location and/or permissions for the PID file and/or folder.

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following directive: PidFile Note the location and name of the PID file If the PID file location is not specified in the conf file, use the \logs directory as the PID file location. Verify the permissions on the folder containing the PID file. If any user accounts other than administrator, auditor, or the account used to run the web server has permission to this file, this is a finding. If the PID file is located in the web server DocumentRoot this is a finding.

Responsibility

Web Administrator

Removed

V-26322

The ScoreBoard file must be properly secured.

Finding ID
WA00535 W22
Rule ID
SV-33178r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA00535
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the configured file for the inter-process communication. Therefore if it is specified it needs to be located in a secure directory. If the ScoreBoard file is placed in openly writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a file with the same name, and or users could monitor and disrupt the communication between the processes by reading and writing to the file.

Fix Text

Modify the location and/or permissions for the ScoreBoard file and/or folder.

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: ScoreBoardFile If the ScoreBoardFile directive is found uncommented note the directory specified in the directive statement that holds the Scoreboard file. If the ScoreBoardFile directive is not found enabled in the conf file use \logs as the directory containing the Scoreboard file. If any users other than administrator or the account used to run the web server has permission to the scoreboard file directory, this is a finding. If the ScoreBoard file is located in the web server document root this is finding.

Responsibility

Web Administrator

Removed

V-26323

The web server must be configured to explicitly deny access to the OS root.

Finding ID
WA00540 W22
Rule ID
SV-33180r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00540
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Apache Directory directive allows for directory specific configuration of access controls and many other features and options. One important usage is to create a default deny policy that does not allow access to Operating System directories and files, except for those specifically allowed. This is done, with denying access to the OS root directory. One aspect of Apache, which is occasionally misunderstood, is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can and will serve it to clients. Having a default deny is a predominate security principal, and then helps prevent the unintended access, and we do that in this case by denying access to the OS root directory. The Order directive is important as it provides for other Allow directives to override the default deny.

Fix Text

Add the following after the root directory directive: Order deny,allow Deny from all

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory For every root directory entry (i.e. <Directory />) ensure the following exists after it: Order deny,allow Deny from all If the statement above is not found in the root directory statement, this is a finding. If Allow directives are included in the root directory statement, this is a finding. If the root directory statement isn't found at all, this is a finding.

Responsibility

Web Administrator

Removed

V-26324

Web server options for the OS root must be disabled.

Finding ID
WA00545 W22
Rule ID
SV-33182r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00545
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation. The Options directive for the root OS level is used to create a default minimal options policy that allows only the minimal options at the root directory level. Then for specific web sites or portions of the web site, options may be enabled as needed and appropriate. No options should be enabled and the value for the Options Directive should be None.

Fix Text

Ensure the Directory directive has the following after it: Options None

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory For every root directory entry (i.e. <Directory />) ensure the following entry exists after it: Options None If the statement above is not found in the root directory statement, this is a finding. If Allow directives are included in the root directory statement, this is a finding. If the root directory statement is not found at all, this is a finding.

Responsibility

Web Administrator

Removed

V-26325

The TRACE method must be disabled.

Finding ID
WA00550 W22
Rule ID
SV-33183r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00550
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details http://httpd.apache.org/docs/2.2/mod/core.html#traceenable. The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subject to abuse and should be disabled.

Fix Text

Disable the TraceEnable directive by setting it to "off".

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: TraceEnable For any enabled TraceEnable directives ensure they are part of the server level configuration (i.e. not nested in a <Directory> or <Location> directive). Also ensure that the TraceEnable directive is set to “Off”. If the TraceEnable directive is not part of the server level configuration and/or is not set to “off” this is a finding. If the directive does not exist in the conf file this is a finding as the default value is "On".

Responsibility

Web Administrator

Removed

V-26326

The web server must be configured to listen on a specific IP address and port.

Finding ID
WA00555 W22
Rule ID
SV-33184r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00555
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended must be explicitly specified. Specifically a Listen directive with no IP address specified, or with an IP address of zero’s should not be used. Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an inappropriate IP address / interface that was not intended for the web server. Single homed system with a single IP addressed are also required to have an explicit IP address in the Listen directive, in case additional interfaces are added to the system at a later date.

Fix Text

Configure the Listen directive to listen on a specific IP address and port.

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Listen For any enabled Listen directives ensure they specify both an IP address and port number. If the Listen directive is found with only an IP address, or only a port number specified, this is finding. If the IP address is all zeros (i.e. 0.0.0.0:80 or [::ffff:0.0.0.0]:80, this is a finding. If the Listen directive does not exist, this is a finding.

Responsibility

Web Administrator

Removed

V-26327

The URL-path name must be set to the file path name or the directory path name.

Finding ID
WA00560 W22
Rule ID
SV-33185r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00560
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The ScriptAlias directive controls which directories the Apache server "sees" as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, the potential exists to expose the script source code.

Fix Text

Modify the ScriptAlias directive so the URL-path and file-path/directory-path entries match.

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding. Example: Not a finding: ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/ A finding: ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

Responsibility

Web Administrator

Removed

V-26368

Automatic directory indexing must be disabled.

Finding ID
WA00515 W22
Rule ID
SV-33225r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00515
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

To identify the type of web servers and versions software installed it is common for attackers to scan for icons or special content specific to the server type and version. A simple request like http://example.com/icons/apache_pb2.png may tell the attacker that the server is Apache 2.2 as shown below. The many icons are used primary for auto indexing, which is recommended to be disabled.

Fix Text

Disable the autoindex_module by adding a "#" in front of it within the httpd.conf file, and restarting the Apache httpd service.

Check Content

Open a command prompt window. Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>). Enter the following command and press Enter: httpd –M This will provide a list of all loaded modules. If the following module is found this is a finding: autoindex_module.

Responsibility

Web Administrator

Removed

V-26393

The ability to override the access configuration for the OS root directory must be disabled.

Finding ID
WA00547 W22
Rule ID
SV-33237r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA00547
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Apache OverRide directive allows for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the file system. When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.

Fix Text

Add the following after the Directory directive: AllowOverride None

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory For every root directory entry (i.e. <Directory />) ensure the following entry exists after it: AllowOverride None If the statement above is not found in the root directory statement, this is a finding. If Allow directives are included in the root directory statement, this is a finding. If the root directory statement is not found at all, this is a finding.

Responsibility

Web Administrator

Removed

V-26396

HTTP request methods must be limited.

Finding ID
WA00565 W22
Rule ID
SV-33238r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA00565
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For example, methods such as PUT and DELETE are rarely used and should be disabled in keeping with the primary security principal of minimize features and options. Also since the usage of these methods is typically to modify resources on the web server, they should be explicitly disallowed. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods. This will allow for downloading of web pages and submitting information to web forms. The OPTIONS request method will also be allowed as it is used to request which HTTP request methods are allowed.

Fix Text

Add the following to all enabled Directory directives except root: Order allow,deny <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept>

Check Content

Note: If HTTP commands (GET, PUT, POST, DELETE) are not being used and the server is solely configured as a proxy server, this is Not Applicable. Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory For every enabled Directory directive (except root), ensure the following entry exists: Order allow,deny <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept> If the statement above is found in the root directory statement (i.e. <Directory />), this is a finding. If the statement above is found enabled but without the appropriate LimitExcept or Order statement, this is a finding. If the statement is not found at all inside an enabled Directory directive, this is a finding. Note: If the LimitExcept statement above is operationally limiting. This should be explicitly documented with the Web Manager, at which point this can be considered not a finding.

Responsibility

Web Administrator

Removed

V-3330

URLScan is not being used on the web server

Finding ID
WA000-WI040
Rule ID
SV-3330r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI040
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

URL parameter manipulation is an increasingly effective means for malicious users to compromise a web-based service. URLScan is a tool that IIS administrators (Web Managers) may use to help secure the web server. When URLScan is installed, it screens all incoming http requests to the server and filters them based on rules that the administrator has set. Even in its default configuration, this tool significantly improves the security of the server by helping to ensure that the server only responds to valid requests for service. The URLScan tool also produces a log file that records configuration and all HTTP requests which are ‘rejected’ by urlscan. This log file contains entries of potentially harmful http requests and thus provides an excellent means of providing focus on malicious activity directed at the web server.

Fix Text

Install URLScan or a comparable tool.

Check Content

Start >> Settings >> Control Panel >> Administrative Tools >> Internet Services >> Select web server to be examined; select Properties option by right clicking; Select the WWW Service from the Master Properties pull down. Then click "Edit" Select the ISAPI Filters tab. Locate the URLSCAN in the list. The name may be different, but you can click the edit button to see teh .dll that is in use. The URLSCAN .dll is urlscan.dll. If the URLScan Tool is not installed in the ISAPI filters that are part of the web server, this is a finding. NOTE: In some cases, if the URLSCAN .dll is not included in the ISAPI filters, it may appear to work, but this will only be the case until the www service is restarted. In this situation, this would also be considered a finding. --------------------

Responsibility

System Administrator

Removed

V-3333

The web document (home) directory will be in a separate partition from the web server’s system files.

Finding ID
WG205
Rule ID
SV-3333r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG205
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

Fix Text

Move the web document (normally "htdocs") directory to a separate partition, other than the OS root partition and the web server’s system files.

Check Content

To view the DocumentRoot value enter the following command: grep "DocumentRoot" /usr/local/apache2/conf/httpd.conf Note the location following the DocumentRoot string, this is the path to the document root directory. If the path is on the same partition as the web server system files or the OS root, this is a finding.

Responsibility

System Administrator

Removed

V-3963

Content Index Service indexes directories, other than web document directories.

Finding ID
WA000-WI070
Rule ID
SV-3963r1_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI070
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Enabling indexing also facilitates directory traversal exploits. To reveal such information to a malicious user is potentially harmful. Such information and the contents of files listed are normally readable by the anonymous Web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the Web service. The indexing service can be used to facilitate a search function for large Web sites.

Fix Text

Assure that only the web document directories are indexed.

Check Content

From Internet Services Manager: >> Select web site to be examined. Select Properties option by right clicking. Select Home Directory tab. In the dialog menus that appear, if the Indexing checkbox is selected, go to the Services from Administrative Tools in Control panel and check to see if the Indexing Service is installed. If it is, determine if the start mode is either “Automatic” or “Manual“. If the Indexing checkbox is not checked or the indexing service is not installed or disabled, this is not a finding. If the Indexing checkbox is checked and the service is either Manual or Automatic, use the following procedure to examine the directories to be indexed. With the assistance of the web administrator and or SA use the Microsoft Management Console (MMC) to evaluate this catalog. Start >> Run >>mmc >> console >> add remove snap-in >> indexing service (add). Review the directories being indexed. If this service is in use only the web content folders should be indexed. If you are not sure if it is a web content folder, examine the Home Directory tab within the properties of the web site. This will indicate the path of the content for this web site. If the Index Service is running and directories other than web content directories are being indexed, this is a finding. --------------------

Responsibility

System Administrator

Removed

V-60709

The web server must remove all export ciphers from the cipher suite.

Finding ID
WG345 W22
Rule ID
SV-75161r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG345
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.

Fix Text

Update the cipher specification string for all enabled SSLCipherSuite directives to include !EXPORT.

Check Content

Locate the Apache httpd.conf and ssl.conf file if available. Open the httpd.conf and ssl.conf file with an editor and search for the following uncommented directive: SSLCipherSuite For all enabled SSLCipherSuite directives, ensure the cipher specification string contains the kill cipher from list option for all export cipher suites, i.e., !EXPORT, which may be abbreviated !EXP. If the SSLCipherSuite directive does not contain !EXPORT or there are no enabled SSLCipherSuite directives, this is a finding.

Responsibility

Web Administrator

Removed

V-6373

The required DoD banner page will be displayed to authenticated users accessing a DoD private web site.

Finding ID
WG265
Rule ID
SV-6446r1_rule
Severity
Cat III
CCE
(None)
Group Title
WG265
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A consent banner will be in place to make prospective entrants aware that the web site they are about to enter is a DoD web site and their activity is subject to monitoring.

Fix Text

Configure a DoD private web site to display the required DoD banner page when authentication is required for user access.

Check Content

Query the IAO, the SA, and the web administrator. The May 9, 2008 Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement, establishes interim policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for web sites with security and access controls. These are restricted and not publicly accessible. If the web site does not require authentication / authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the web site via a browser can be used to confirm the information provided from interviewing the web staff. The following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” Option 2: If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: I've read & consent to terms in IS user agreem't. If the access-controlled web site does not display this banner page before entry, this is a finding.

Responsibility

Web Administrator

Removed

V-6485

Web server content and configuration files are not part of a routine backup program in order to recover from file damage and system failure.

Finding ID
WA140
Rule ID
SV-6572r1_rule
Severity
Cat III
CCE
(None)
Group Title
WA140
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to the software and data. A tested and verifiable backup strategy will be implemented for web server software as well as all web server data files. Backup and recovery procedures will be documented and the Web Manager or SA for the specific application will be responsible for the design, test, and implementation of the procedures. The site will have a contingency processing plan/disaster recovery plan that includes web servers. The contingency plan will be periodically tested in accordance with DoDI 8500.2 requirements. The site will identify an off-site storage facility in accordance with DoDI 8500.2 requirements. Off-site backups will be updated on a regular basis and the frequency will be documented in the contingency plan.

Fix Text

Document the backup procedures.

Check Content

The reviewer should query the Information Assurance Officer (IAO) SA, Web Manager, Webmaster or developers as necessary to determine whether or not a tested and verifiable backup strategy has been implemented for web server software as well as all web server data files. Proposed Questions: Who maintains the backup and recovery procedures? Do you have a copy of the backup and recovery procedures? Where is the off-site backup location? When was the last time the contingency plan was tested? and is that documented? If there is not a backup and recovery process for the web server, this is a finding. NOTE: Backup media containing sensitive data needs to be compliant with DOD Memorandum: " Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media", dated 3 Jul 2007.

Responsibility

System Administrator

Removed

V-6531

A web server that utilizes PKI as an authentication mechanism must utilize subscriber certificates issued from a DoD-authorized Certificate Authority.

Finding ID
WG140
Rule ID
SV-6627r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG140
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A DoD private web server, existing within and available across the NIPRNet, must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions.

Fix Text

Edit the httpd.conf file and set the value of SSLVerifyClient to "require".

Check Content

To view the SSLVerifyClient value enter the following command: grep "SSLVerifyClient" /usr/local/apache2/conf/httpd.conf If the value of SSLVerifyClient is not set to “require”, then this is a finding.

Responsibility

Web Administrator

Removed

V-6724

Web server and/or operating system information will be protected.

Finding ID
WG520
Rule ID
SV-6938r1_rule
Severity
Cat III
CCE
(None)
Group Title
WG520
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The web server response header of an HTTP response can contain several fields of information including the requested HTML page. The information included in this response can be web server type and version, operating system and version, and ports associated with the web server. This provides the malicious user valuable information without the use of extensive tools.

Fix Text

Edit the /usr/local/apache2/conf/httpd.conf file and ensure the directive is set to Prod.

Check Content

Enter the following command: grep "ServerTokens" /usr/local/apache2/conf/httpd.conf The directive ServerTokens must be set to “Prod” (ex. ServerTokens Prod). This directive controls whether Server response header field that is sent back to clients that includes a description of the OS-type of the server as well as information about compiled-in modules. If the web server or operating system information are sent to the client via the server response header or the directive does not exist, this is a finding. Note: The default value is set to Full.

Responsibility

System Administrator

Removed

V-6755

Directory Browsing is not disabled.

Finding ID
WA000-WI090
Rule ID
SV-6971r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI090
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

This ensures that your directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits.

Fix Text

Internet Services Manager (this selection starts the Microsoft Management Console, MMC) >> Select web site to be examined. Select Properties option by right clicking. Select Home Directory tab. In the dialog menus that appear deselect the Directory Browsing checkbox to disable Directory Browsing.

Check Content

Using IIS Manager: Select the web site to be examined. Select the Properties option. Select the Home Directory tab. In the window that appears, if the Directory Browsing checkbox is selected, Directory Browsing is enabled. If the Directory Browsing feature is enabled this is a finding. --------------------

Responsibility

Web Administrator

Removed

V-91207

Public web server resources must not be shared with private assets.

Finding ID
IISW-SV-000160
Rule ID
SV-101307r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000243
CCI
CCI-001090
Target Key
(None)
Documentable
No
Discussion

It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives, or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. Resources, such as, printers, files, and folders/directories must not be shared between public web servers and assets located within the internal network.

Fix Text

Configure the public web server to not have a trusted relationship with any system resource that is also not accessible to the public. Web content is not to be shared via Microsoft shares or NFS mounts.

Check Content

1. From a command prompt, type "net share" and press “Enter” to provide a list of available shares (including printers). 2. To display the permissions assigned to the shares type "net share" followed by the share name found in the previous step. If any private assets are assigned permissions to the share, this is a finding. If any printers are shared, this is a finding.

All web server documentation, sample code, example applications, and tutorials willmust be removed from a production web server.

Finding ID
WG385 IIS7
Rule ID
SV-14207r1_rule32478r3_rule
Severity
Cat I
CCE
(None)
Group Title
WG385
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e.g., compiled code, scripts, web- content, etc.). Delete all directories thatcontaining contain samples and any scripts used to execute the samples. If there is a requirement to maintain these directories at the site on non-production servers for training purposes, have NTFS permissions set to only allow access to authorized users (i.e., web admins and administrators). Sample applications or scripts have not been evaluated and approved for use and may introduce vulnerabilities to the system.

Fix Text

EnsureRemove sample code and documentation have been removed from the web server.

Check Content

Query1. theNavigate SA to determinethe iffollowing allfolders: directoriesinetpub\AdminScripts that contain samples and any inetpub\scripts\IISSamples usedProgram toFiles\Common executeFiles\System\msadc theProgram samplesFiles have(x86)\Common beenFiles\System\msadc removed2. fromIf the server.folders Eachcontain web server has its own list of sample files.code Thisand may change with the software versionsdocumentation, butthis theis followinga arefinding. someNote: examplesAny ofnon-executable whatweb toserver lookdocumentation foror (This should not be the definitive list of sample files,file butfound onlyon an example of the commonproduction samplesweb thatserver areand providedaccessible withto the associated web server.users Thisor listnon-administrators will be updateda asCAT additionalIII information is discoveredfinding.): lsAny non-Llexecutable /usr/local/apache2/manualweb Ifserver theredocumentation isor asample requirementfile tofound maintainon these directories at the siteproduction forweb trainingserver orand otheraccessible suchonly purposes,to haveSAs permissions or set the permissions to onlyweb allowadministrators accessis topermissible authorizedand users.is Ifnot any sample files are found on the web server, this is a finding.

Security Override Guidance

Any sample application or sample executable script found on the production web server will be a CAT I finding. Any web server documentation or sample file found on the production web server and accessible to web users or non-administrators will be a CAT III finding. Any web server documentation or sample file found on the production web server and accessible only to SAs or to web administrators is permissible and not a finding.

Responsibility

System Administrator

The private web server willmust use an approved DoD certificate validation process.

Finding ID
WG145 IIS7
Rule ID
SV-14260r1_rule32479r3_rule
Severity
Cat II
CCE
(None)
Group Title
WG145
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Certificate Revocation List (CRL) is used for a number of reasons, for example, when an employee leaves, certificates expire, or if certificate keys become compromised and are reissued. Without the use of a certificate validation process, the siteserver is vulnerable to accepting certificates that have expired or haverevoked been revokedcertificates. This wouldcould allow unauthorized individuals access to the web server. ThisThe alsoCRL defeatsis thea purposerepository comprised of therevoked multi-factorcertificate authenticationdata, providedusually byfrom themany PKIcontributing processCRL sources. Sites using an Online Certificate Status Protocol (OCSP) rather than CRL download to validate certificates will have obtained and installed an OCSP validation application.

Fix Text

ConfigureUsing DoDvendor Privatedocumentation Webas Serversguidance, reconfigure the web server to conductutilize certificate revocationwith checkingan utilizingapproved certificate validation process: netsh http add sslcert Alternatively, configure existing certificate to validate certifcate revocation: listsOpen (CRLs)registry, orlocate OnlineHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443\DefaultSslCertCheckMode CertificateModify Statusthe Protocolvalue (OCSP).to 0 Restart server

Check Content

TheVerify reviewerCertificate shouldRevocation queryList the(CRL) IAO, the SA, the web administrator, or developers as necessary to determine if the web server is configured to utilize an approved DoD certificate validation process. The web administrator should be questioned to determine if a validation process is beingenabled utilized on the web server. ToOpen validatea this,Command thePrompt reviewerand canenter ask the webfollowing administratorcommand: tonetsh describehttp theshow validationsslcert processNote beingthe used.value Theyassigned should be able to identify either the useVerify ofClient certificate revocation lists (CRLs) or Online Certificate StatusRevocation Protocol (OCSP)element. If the productionvalue web server is accessible, the SA or the web administrator should be able to demonstrate the validation of good certificates and the rejectionVerify ofClient badCertificate certificates.Revocation Ifelement CRLs are being used, the SA should be able to identify how often the CRL is updatednot and the location from which the CRL is downloaded. If the web administrator cannot identify the type of validation process being usedenabled, this is a finding.

Responsibility

System Administrator

The File System Object component, ismust notbe required and is not disabled.

Finding ID
WA000-WI100 IIS7
Rule ID
SV-14310r1_rule46359r4_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI100
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Some Component Object Model (COM) components are not required for most applications and should be removed if possible. Most notably, consider disabling the File System Object component; however, this will also remove the Dictionary object. Be aware that some programs may require componentsthis youcomponent are(e.g., disablingCommerce Server), so it is highly recommended that this be tested completely before implementing on yourthe production Webweb serversserver.

Fix Text

UnregisterRun the Filefollowing Systemcommand, Objectwith usingadminstrator priviledges, to unregister the followingFile commandSystem Object: regsvr32 scrrun.dll /u. Note: Make sure the Administrators group owns and has full permissions to the registry value HKCR\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0\0\win32 before trying to unregister the dll. Without the Administrators group owning and having full control of this key, the unregister command will error.

Check Content

Query the SA or Web Manager to determine if the File System Object is required1. IfLocate it is, the IAOHKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} will need to document this requirement. Check for the existence of the following registry keyskey. If either of the followingkey keys exist, the FileSystemObjectFile System Object component is enabled. HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} HKEY_CLASSES_ROOT\Scripting2.FileSystemObject If the File System Object component is registeredenabled and is not required for operations, this is a finding. NOTE: ThisIf vulnerability can be documented locally by the IAM/IAOFile ifSystem theObject sitecomponent is runningrequired anfor applicationoperations thatand requires this registration of this object if the site has operationalsupporting reasonsdocumentation forsigned theby us of htis object and if the IAM/IAO has approved this change in writingISSO, this shouldis benot marked as Not a Findingfinding. --------------------

Potential Impact

Commerce Server does require this object to be registered.

Responsibility

Web Administrator

APublic public web server’s resources (e.g.,must drives, folders, printers, etc.) will not be shared with private assets.

Finding ID
WG040 IIS7
Rule ID
SV-2234r1_rule32631r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG040
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that isolates inbound traffic from the external network to the internal networkResources, resources such as, printers, files, and folders/directories willmust not be shared between public web servers and assets located within the internal network.

Fix Text

Configure the public web server to not have a trusted relationship with any system resource that is also not accessible to the public. Web content is not to be shared via Microsoft shares or NFS mounts.

Check Content

1. From a command prompt, type "net share" and press Enter to provide a list of available shares (including printers). 2. To display the permissions assigned to the shares type "net share" followed by the share name found in the previous step. If any private assets are assigned permissions to the share, this is a finding. If any printers are shared, this is a finding.

Responsibility

System Administrator

The service account ID used to run the webwebsite sitemust will have its password changed at least annually.

Finding ID
WG060 IIS7
Rule ID
SV-2235r1_rule36487r4_rule
Severity
Cat II
CCE
(None)
Group Title
WG060
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. TheIf passwordsthe onweb suchservice accountsaccount requires a password, the password must be changed at least annually. It is a fundamental tenet of security that passwords are not to be null and must not to be set to never expire.

Fix Text

Configure the service account ID used to run the web-site to have its password changed at least annually, or use the local system account.

Check Content

Review1. Go to Start, Administrative Tools, and then Services. 2. Right-click on service name World Wide Web Publishing Service, Select Properties, and then select the siteLog On tab. 3. If “Local System account” is selected for the logon account, this is not a finding. If the “This account” option is selected, the username given is the web service account ID. 4. Open a command prompt and enter Net User [service account ID], press Enter. 5. Verify the values for Password last set and Password expires to ensure the password policyhas been changed in the past year and will be required to change within the coming year.

Responsibility

System Administrator

Installation of compilers on production web serverservers is prohibited.

Finding ID
WG080 IIS7
Rule ID
SV-2236r1_rule32632r4_rule
Severity
Cat II
CCE
(None)
Group Title
WG080
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s code can be uploaded and compiled on the server under attack. Of particular concern is C compilers.

Fix Text

Remove any compiler found on the production web server, but if the compiler program is needed to patch or upgrade an application suite in a production environment or the compiler is embedded and will break the suite if removed, document the compiler installation with the ISSO/ISSM and ensure that the compiler is restricted to only administrative users.

Check Content

Using Windows Explorer and/or add-remove programs, search the system for the existence of known compilers, such as, msc.exe, msvc.exe, Python.exe, javac.exe, Lcc-win32.exe, or equivalent. LookIf ina allcompiler hardis drives.found Also,on query the SAproduction andserver, thethis Webis Managera tofinding. determineNOTE: ifIf athe compilerweb server is presentpart onof thean server.application NOTE:suite Thisand checka doescompiler notis prohibitneeded thefor useinstallation, patching, and upgrading of the .Netsuite Framework or if the Java compiler foris Oracle.embedded NOTE:and ColdFusioncan't would not be consideredremoved awithout compilerbreaking asthe longsuite, asdocument the siteinstallation isof notthe usingcompiler with the toolISSO/ISSM forand developmentverify work.that Anythe compilerscompiler requiredis restricted to beadministrative presentusers ononly. theIf systemsdocumented needand to be restricted to administrative users, onlythis is not a finding.

Responsibility

System Administrator

A public web server, willif behosted physicallyon andthe logicallyNIPRNet, must be isolated in accordancean withaccredited the DoD Internet-NIPRNet DMZ STIG and the DoD Enclave STIGExtension.

Finding ID
WA060 IIS7
Rule ID
SV-2242r1_rule32633r3_rule
Severity
Cat II
CCE
(None)
Group Title
WA060
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers alsoare referby tonature webmore serversvulnerable thatto mayattack befrom locatedpublically onbased non-publicsources, networkssuch andas containthe informationpublic thatInternet. isOnce approvedcompromised, fora releasepublic toweb theserver entiremight community.be Publicused webas serversa mustbase notfor havefurther trustedattack connectionson withprivate assetsresources, outsideunless theadditional confineslayers of theprotection demilitarizedare zoneimplemented. (DMZ)Public orweb inservers anmust isolatedbe separatelocated publicin enclavea (subnet).DoD ThisDMZ trustedExtension, connectionif ishosted noton tothe beNIPRNet, confused with acarefully Microsoftcontrolled Domain trustaccess. AFailure trusted connection can be an attachment to Microsoftisolate shares,resources in UNIXthis asway Networkincrease Filerisk Systemthat (NFS)private mounts,assets asare wellexposed as connections to interiorattacks enclave printers. This relationship can also be found with connections from public web servers to interior enclave databasessources.

Fix Text

PlaceLogically Holderrelocate the public web server to be isolated from internal systems. In addition, ensure the public web server does not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) other than application and/or database servers that are a part of the same system as the web server.

Check Content

Place HolderInterview the SA or web administrator to see where the public web server is logically located in the data center. Review the site’s network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site’s network diagram. An improperly located public web server is a potential threat to the entire network. If the web server is not isolated in an accredited DoD DMZ Extension, this is a finding.

Responsibility

System Administrator

A private web server willmust be located on a separate controlled access subnet.

Finding ID
WA070 IIS7
Rule ID
SV-2243r1_rule32634r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA070
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, inwhich either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separateseparately controlled access subnet and must not be a part of the public DMZ that houses the public web servers. It also cannot be located inside the enclave as part of the local general population LAN.

Fix Text

Isolate the private web server from the public DMZ and separate it from the internal general population LAN. This separation must have access control in place to protect the web server from internal threats.

Check Content

ThisPerform check verifies, through a discussion with the IAO/SA/Web Manager, a check of the site’s network diagram and a visual check of the web server,. thatThe the private web server ismust be located on a separateseparately controlled access subnet and is not a part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population LAN. If the web server is not located inside the premise router, switch, or firewall, and is not isolated via a controlled access mechanism from the general population LAN, this is a finding.

Responsibility

System Administrator

The web server must use a vendor-supported version of the web server software.

Finding ID
WG190 W13IIS7
Rule ID
SV-6636r1_rule32635r2_rule
Severity
Cat I
CCE
(None)
Group Title
WG190
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

ManySeveral vulnerabilities are associated with oldolder versions of web server software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining the web server at a current version makes the efforts of a malicious user to exploit the web service more difficult.

Fix Text

Install the current version of the web server software and maintain appropriate service packs and patches.

Check Content

Determine the version of the Apache software that is running on the system. Use the command: apache -v apache2 -v There are other ways, too, of determining the version of Apache (in the Services itself and Add/Remove programs). If the version of Apache is not at the following version or higher, this is a finding. Apache 2.0 - Release 2.0.61 (Sep 2007) Apache 2.2 - Release 2.2.13 (Aug 2009) Apache 1.3 -Open Release 1.3.41 ( Jan 2008) NOTE: Apache has announced the endIIS of life of the 1Manager.3.x product line and this checklist will consider it non supported when the next security update is made to either the 2.0 orClick 2.2 product lineHelp, unless the version of 1.3.x is also updated. The current 2.0 and 2.2select releasesAbout areInternet 2.0.64Information and 2Services.2.15. When one of these changes, Apache 1.3.x wouldIf be considered non-supported software and a finding. NOTE: In some situations, the Apacheversion software that is beingless usedthan is supported by another vendor, such as Oracle in the case of the Oracle Application Server or IBMs HTTP Server7. The versions of the software in these cases may not match the above mentioned version numbers. If the site can provide vendor documentation showing the version of the web server is supported0, this wouldis not be a finding. --------------------

Responsibility

WebSystem Administrator

Access to web administration tools ismust be restricted to the web manager and the web manager’smanagers designees.

Finding ID
WG220 IIS7
Rule ID
SV-2248r1_rule46357r3_rule
Severity
Cat II
CCE
(None)
Group Title
WG220
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The key web service administrative and configuration tools must only be accessible by the web server staff. AsAll theseusers servicesgranted controlthis theauthority functioningwill ofbe thedocumented weband server,approved accessby tothe these tools is crucialISSO. ThisAccess would include access to the WebIIS AdminManager Serverwill inbe Netscape,limited theto IISauthorized Managementusers Console,and the Apache httpdadministrators.conf file, or sysadmin.cfg in Oracle.

Fix Text

Restrict access to the web administration tool to only the web manager and the web manager’s designees.

Check Content

Determine1. whichOpen toolthe orIIS controlManager fileand isselect usedProperties. to2. controlSelect the configurationShortcut oftab, and then left-click Open File Location. 3. Right-click InetMgr.exe, then click Properties from the webcontext servermenu. If4. Select the controlSecurity oftab. 5. Review the webgroups serverand isuser donenames. viaThe following account may have Full control files,priviledges: verifyTrustedInstaller whoThe hasfollowing updateaccounts accessmay tohave them.read If& toolsexecute, areand beingread usedpermissions: toAdministrators configure(non-elevated) theSystem webUsers server,Specific determineusers whomay hasbe accessgranted toread & execute theand toolsread permissions. IfCompare accountsthe otherlocal thandocumentation theauthorizing SA,specific the web managerusers, oragainst the webspecific managerusers designeesobserved havein accessstep to5. theIf webany administrationother toolaccess oris control filesobserved, this is a finding.

Responsibility

System Administrator

AllPrograms utilityand programs,features not necessary for operations, willmust be removed or disabled.

Finding ID
WG130 IIS7
Rule ID
SV-2251r1_rule46363r3_rule
Severity
Cat III
CCE
(None)
Group Title
WG130
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Just as running unneeded services and protocols isincrease a danger to the webattack serversurface at the lower levels of the OSIweb modelserver, running unneeded utilities and programs is also aan dangeradded atrisk theto application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks.

Fix Text

InstallRemove onlyall webunapproved supportprograms software on the web server. When other processes are supported by the web server, ensure that a risk assessment has been performed and documented.roles Iffrom a database server is installed on the sameproduction platform as the web server, it must be on a separate drive or partition. Remove all unnecessary applications and programs.

Check Content

QueryReview theprograms IAO,installed theon SA, the webOS. administrator,1. orOpen developersControl asPanel. necessary to determine if the web server is configured with unnecessary software2. QueryOpen thePrograms SA to determine if processes other than those that support the web server are loaded and/or runFeatures. on the web server3. ExamplesThe offollowing softwareprograms thatmay should not be oninstalled thewithout webany serveradditional aredocumentation: allAdministration webPack developmentfor tools,IIS office7.0 suitesIIS (unlessSearch theEngine webOptimization serverToolkit isMicrosoft a.NET privateFramework webversion development3.5 server),SP1 compilers,or andgreater otherMicrosoft utilitiesWeb thatPlatform areInstaller notversion part of the web server suite or the basic operating system3.x Check the directory structure of the server and ensure that additional, unintended, or unneededgreater applicationsVirtual areMachine notAdditions loaded4. onReview the system.installed Windows: Start >> Programs >> check for programs services such as: Front Page (as evident by directories which begin _vti ) MS Access MS Excel MS Money MS Word Third-party text editors Graphics editors If, afterif reviewany ofprograms theare applicationinstalled onother thethan system,those thelisted SA cannot provide justification for the requirement of the identified softwareabove, this is a finding. NOTE: If theadditional site requires the use of a particular piece of software, theis IAOneeded willand needhas tosupporting maintain documentation identifyingsigned thisby software as necessary for operations and that the software will be maintained to meet any and all released security patches. In additionISSO, ifthis the software is unsupported, it is not acceptable for use. If this is the case, this should be marked as Not a Findingfinding.

Responsibility

System Administrator

Administrative users and groups thatwith have access rightsprivilege to the web server aremust be documented.

Finding ID
WA120 IIS7
Rule ID
SV-2257r1_rule32638r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA120
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

There are typically several individuals and groups that are involved in running a production web -site. In most cases, we can identify several types of users on a web server. Thesecan arebe theidentified, Systemsuch Administratorsas, (SAs)SA's, Web Managers, Auditors, Authors, Developers, and the Clients. Nonetheless, only necessary user and administrative accounts will be allowed on the web server. Accounts will be restricted to those who are necessary to maintain web services, review the server’s operation and the operating systemOS. Owing to the sensitivity of web servers, a detailed record of these accounts must be maintained.

Fix Text

Document the administrative users and groups which have access rights to the web server in the website SOP or an equivalent document.

Check Content

Determine if the local sites' documentation matches an examination of the privileged IDs on the server. Using User Manager, User Manager for Domains, or Local Users and Groups, examine user accounts to verify the above information. If documentation does not exist for users and groups found on the server, this is a finding.

Responsibility

System Administrator

Web server system files willmust conform to minimum file permission requirements.

Finding ID
WG300 IIS7
Rule ID
SV-2259r1_rule32332r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG300
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

This check verifies that the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account thatrunning runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

Fix Text

1. Open Explorer and navigate to the inetpub directory. 2. Right-click inetpub and select Properties. 3. Click the Security tab. 4. Set filethe following permissions: onSystem: theFull webcontrol serverAdministrators: systemsFull filescontrol toTrustedInstaller: meetFull minimumcontrol fileUsers: Read & execute, list folder contents Creator/Owner: special permissions requirements.to subkeys

Check Content

Windows 2008 servers may be impacted by this check1. IfOpen theExplorer SA or the web administrator can demonstrate that this requirement as written will adversely affect the web server by providing vendor documentation, then the reviewer will verify compliance with vendor guidance with respect to file permissions and accessnavigate controls. Query the SA or the web administrator to determine if an access control file is used by the webinetpub serverdirectory. and2. theRight-click nameinetpub and locationselect of the filesProperties. The reviewer will verify the permissions on these files3. SomeClick examples are listed below, but the specificSecurity file names may vary by web server software productstab. NOTE: These are just sample file names and directories4. TheVerify actual names will vary based on the productpermissions thatfor is being used. You will have to determine the appropriatefollowing directoryusers; andif file that correspond to the samplespermissions providedare below.less Example:restrictive, ServerRoot "C:\Program Files\Product" Permissions on this directory files should be: Administrators: full System: full WebAdmin: full WebUser: read, execute Web Service Account: read, execute Permissions for the /config directory should be as follows: (This is a sub-directory to the main web directory identified abovefinding.) Administrators: full System: readFull WebAdmin:control modify Web Service Account: read Permissions on this directory files should be: Administrators: fullFull System:control full WebAdminTrustedInstaller: fullFull WebUser:control read, execute Web Service AccountUsers: read,Read execute& Permissions for the /bin directory should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: full System: read, execute WebAdmin: modify Web Service Account: read, executelist Permissionsfolder forcontents the Creator/logs directory should be as followsOwner: (ThisSpecial ispermissions a sub-directory to the main web directory identified above.) Administrators: read System: full WebAdmin: read Web Service Account: modify Auditors: full Permissions for the /htdocs directory (DocumentRoot) should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: Full control System: Read WebAdmin: Modify Web Service Account: Read If any of the permissions listed above are less restrictive, this is a finding. subkeys

Responsibility

System Administrator

A public web server willmust limit e-mail to outbound only.

Finding ID
WG330 IIS7
Rule ID
SV-2261r1_rule32639r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG330
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Incoming e-mails have been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, e-mail is a specialized application thatrequiring requires the dedication of server resources. A production web server should only provide hosting services for web -sites. Supporting mail services on a web server opens the server to the risk of abuse as an e-mail relay.

Fix Text

1. Disable the SMTP service. 2. If other emaile-mail programs are running remove the programs.

Check Content

1. Right-clickOpen the Task Bar and select Task Manager. 2. Click the Services tab and look for SMTP service. If theethe service is running, then this is a finding. 3. Open Add/Remove Programs to see if there are any e-mail programs installed. Search the system to determine if other emaile-mail programs are running. If there is an e-mail program installed and that program has been configured to accept inbound e-mail, this is a finding. 4. If available, telnet to the server under review on port 25;. ifIf a response is received, then this is a finding.

Responsibility

System Administrator

Java software installed on the production web server willmust be limited to .class files and the JAVAJava virtualVirtual machineMachine.

Finding ID
WG490 IIS7
Rule ID
SV-2265r1_rule32640r2_rule
Severity
Cat III
CCE
(None)
Group Title
WG490
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

FromSource thecode sourcefor codea Java program is, many times, stored in afiles with either .java or a .jpp file, extensions. From the .java and .jpp files the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would,could therefore, reveal sensitive information regarding an application's logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.

Fix Text

Remove all files from the web server with either .java and .jpp extensions.

Check Content

EnterSearch the commands:system findfor /files -namewith *.either .java findor /.jpp -nameextensions. *.jpp If eitherfiles filewith type.java isor .jpp extensions are found, then this is a finding.

Responsibility

Web Administrator

Monitoring software willmust include CGI type files or equivalent programs in the set of files which it checks.

Finding ID
WG440 IIS7
Rule ID
SV-2271r1_rule32641r2_rule
Severity
Cat II
CCE
(None)
Group Title
WG440
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the server’s resources. These files make appealing targets for the malicious user. If these files can be modified or exploited, the web server can be compromised. TheseCGI or equivalent files must be monitored by a security tool thatalerting reportsthe unauthorizedweb changesadministrator toof theseany filesunauthorized changes.

Fix Text

Configure the monitoring tool to include CGI type files or equivalent programs directory.

Check Content

CGIRequest orto equivalentsee filesthe musttemplate befile monitoredor byconfiguration afile securityof tool that reports unauthorized changes. It is the purposesoftware ofbeing suchused software to monitoraccomplish keythis filessecurity for unauthorized changes to themtask. The reviewermonitoring program should queryprovide theconstant IAO,monitoring thefor SAthese files, and instantly alert the web administrator and verify the information provided by asking to see the template file or configuration file of theany softwareunauthorized being used to accomplish this security taskchanges. Example CGI file extensions forinclude, filesbut considered to provide active content are, but not limited to, .cgi, .asp, .aspx, .class, .vb, .php, .pl, and .c. If the sitemonitoring product configuration does not have a process in place to monitor changes to CGI program files, this is a finding.

Responsibility

System Administrator

Anonymous access accounts aremust be restricted.

Finding ID
WG195 IIS7
Rule ID
SV-6639r1_rule32381r2_rule
Severity
Cat I
CCE
(None)
Group Title
WG195
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, and applications, and to review the server operations.

Fix Text

UpdateRemove the anonymousAnonymous access account tofrom removeall privileged accessaccounts and all privileged groups.

Check Content

WorkCheck with the SAaccount orused for anonymous access to the web administratorsite. to1. determineOpen if the webIIS serverManager. supports2. anClick anonymousthe accesssite accountbeing and,reviewed. if3. so,Double-click noteAuthentication in the nameIIS section of the accountweb site’s Home Pane. If anAnonymous anonymousaccess accountis disabled, this check may end here, and is usedconsidered tonot accessa thefinding. web4. siteIf enabled, thenleft-click theAnonymous reviewerAuthentication, willand needthen toleft-click checkEdit itsin privilegesthe Actions pane. 5. If anonymousthe accessSpecific user radio button is notenabled allowedand foran ID is specified in the webadjacent sitecontrol box, then this check is notthe applicable.ID Ifbeing used for anonymous access. isCheck allowedprivileged forgroups that may allow the webanonymous site,account inappropriate membership. 1. Left-click Start and then thedouble-click accountServer shouldManager. be2. restrictedExpand asConfiguration; muchexpand asLocal possibleUsers and Groups; and then left-click Groups. 3. Review group members. Privileged Groups: Administrators Backup Operators Certificate Services (of any designation) Distributed COM users Event Log Readers Network Configuration Operators\Performance Log Users Performance Monitor Users Power Users Print Operators Remote Desktop Users Replicator Users 4. Double-click each group and review its members. If the anonymousIUSR account hasor privilegedany accessaccount aboveused whatfor anonymous access is necessarya tomember accessof theany webgroup sitewith privileged access, this is a finding.

Responsibility

System Administrator

A web server willmust not be segregatedco-hosted fromwith other services.

Finding ID
WG204 IIS7
Rule ID
SV-6683r1_rule32643r3_rule
Severity
Cat II
CCE
(None)
Group Title
WG204
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

ToA ensuredetailed a secure and functional web server, a detailed installation and configuration plan should be developed and followed. Thisto willprovide eliminatestandardization mistakesduring thatthe ariseinstallation asprocess. aThe resultinstallation ofand adconfiguration hocplan decisionsshould madenot duringsupport the defaultco-hosting installation of a server. Planners should not attempt to support multiple services, such as, Domain Name Service (DNS), e-mail, databases, search engines, and indexing, or streaming media on the same server that is providing the web publishing service. In the case of File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Network News Transport Protocol (NNTP), a well-defined need for these services should be documented by the IAO prior to their installation on the same platform as a web server. Primary and secondary Domain Controllers, in the Windows environment, will not share a common platform with a web server World Wide Web (WWW) service. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system thatsupporting supports a web server will not provide other services (e.g., domain controller, email server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any unnecessary services or protocols that are not necessary should be removed. A web server may incorporate any number of allowed web services that may be necessary to successfully deliver its mission objectives and as long as those web services are properly configured, secured, and they are not specifically prohibited, then their usage is not prohibited but will be governed by the Enclave, the Application Security and Development, or the Web Services STIG (when developed). These services should be delivered from the application server. A separate platform in the context of this vulnerability refers to physical, logical, or virtual separation of web server and operating system services; however, the separation associated with application, database, or other servers is governed by the DoD Internet-NIPRNet DMZ STIG.

Fix Text

Remove any services or applications that are not required.

Check Content

Request a copy of and review the web server's installation and configuration plan for required services. Ensure the server only has the required services installed as documented in the installation and configuration plan. If the server has any additional services, this is a finding.

Responsibility

System Administrator

The IISuse of Internet Printing Protocol is(IPP) notmust be disabled on the IIS web server.

Finding ID
WA000-WI080 IIS7
Rule ID
SV-6970r1_rule32222r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI080
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

CitedThe byuse SANS as one of the five most widely exploited holes in unpatched versions of IIS in 2001, Windows 2000 and 2003 include support for the Internet Printing Protocol (IPP) viaon an ISAPI extension on IIS 5.x.web Thisserver extensionallows is installed by default on all Windows 2000 and 2003 systems with IIS. CERT published an advisory (also referenced by Mitreclient’s CVEaccess system)to inshared Mayprinters. 2001This indicatingprivileged thataccess throughcould aallow buffer overflow in the ISAPI extension, remote users could execute arbitrary code inexecution theby localincreasing system context (essentially the equivalentweb ofservers administrator),attack giving the user complete control of the systemsurface. AddingAdditionally, thesince following key to the registry can disable IPP: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windowsdoes NT\Printers\DisableWebPrintingnot Thesupport typeSSL, ofit theis keyconsidered isa REG_DWORD,risk and thewill valuenot should be set to 1deployed. Administrators should note that this effort could be accomplished with a security template as described above.

Fix Text

Procedure:1. Click Start>>Run>>Regedt32>>navigate, tothen \\Hkey_Local_Machine\Software\Policies\Microsoft\Windowsclick NT\PrintersAdministrative SetTools, and then click Server Manager. 2. Expand the followingroles value:node, DisableWebPrintingthen REG_DWORDright-click 1Print Services, and then select Remove Roles Services. 3. If the Internet Printing option is checked, clear the check box, click Next, and then click Remove to complete the wizard.

Check Content

UsingIf the registryPrint editior,Services verifyrole and the settingsInternet forPrinting therole IISare printingnot protocol:installed, Start>>Run>>Regedt32>>navigatethis tocheck \\Hkey_Local_Machine\Software\Policies\Microsoft\Windowsis NT\PrintersN/A. LookNavigate forto the following valuedirectory: DisableWebPrinting%windir%\web\printers REG_DWORDIf 1this Thefolder keyexists, needsthis tois bea setfinding. toDetermine awhether valueInternet ofPrinting is enabled: 1. andClick theStart, typethen needsclick toAdministrative beTools, aand REG-DWORDthen click Server Manager. If2. Expand the registryroles does not existnode, thethen valueright-click defaultsPrint to nothingServices, whichand wouldthen alsoselect beRemove aRoles findingServices. 3. If the Internet basedPrinting printingoption is not disabledenabled, this is a finding. --------------------

Responsibility

System Administrator

Classified web servers will be afforded physical security commensurate with the classification of its content.

Finding ID
WA155
Rule ID
SV-14165r3_rule
Severity
Cat I
CCE
(None)
Group Title
WA155
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When data of a classified nature is migrated to a web server, fundamental principles applicable to the safeguarding of classified material must be followed. A classified web server needs to be afforded physical security commensurate with the classification of its content to ensure the protection of the data it houses.

Fix Text

Relocate the web server to a location appropriate to classified devices.

Check Content

Interview the ISSO, the SA, the web administrator, or developers as necessary to determine if a classified web server is afforded physical security commensurate with the classification of its content (i.e., is located in a vault or a room approved for classified storage at the highest classification processed on that system). Ask what the classification of the web server is. Based on the classification, evaluate the location of the web server to determine if it is approved for storage of that classification level. If there is a traditional reviewer available, work with him/her to address specific conditions or questions. If the web server is not appropriately physically protected based on its classification, this is a finding.

Responsibility

System Administrator

Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities.

Finding ID
WG200 W13
Rule ID
SV-2247r4_rule
Severity
Cat I
CCE
(None)
Group Title
WG200
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. This is in addition to the anonymous web user account. The resources to which these accounts have access must also be closely monitored and controlled. Only the SA needs access to all the system’s capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. The anonymous web user account must not have access to system resources as that account could then control the server.

Fix Text

Ensure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities.

Check Content

Obtain a list of the user accounts for the system, noting the priviledges for each account. Verify with the system administrator or the ISSO that all privileged accounts are mission essential and documented. Verify with the system administrator or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented. If undocumented privileged accounts are found, this is a finding. If undocumented access to shell scripts or operating system functions is found, this is a finding.

Responsibility

System Administrator

Directory Browsing must be disabled on the production web server.

Finding ID
WA000-WI091
Rule ID
SV-32645r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI091
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory. If directory browsing is enabled the risk of inadvertently disclosing sensitive content is increased.

Fix Text

1. Open the IIS Manager. 2. Click the Server. 3. Double-click the Directory Browsing icon. 4. Under the Actions Pane click Disabled.

Check Content

1. Open the IIS Manager. 2. Click the Server. 3. Double-click the Directory Browsing icon. 4. Under the Actions Pane verify Directory Browsing is disabled. If not, this is a finding.

Unspecified file extensions must not be allowed to execute on the production web server.

Finding ID
WA000-WI6100
Rule ID
SV-32650r2_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6100
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI extensions to run on the web server.

Fix Text

1. Open the IIS Manager. 2. Click the Server. 3. Double-click the ISAPI and CGI restrictions icon. 4. Click Edit Feature Settings and uncheck the CGI and ISAPI Modules check boxes.

Check Content

1. Open the IIS Manager. 2. Click the Server. 3. Double-click the ISAPI and CGI restrictions icon. 4. Click Edit Feature Settings and verify the CGI and ISAPI Modules are NOT checked. If they are checked, this is a finding.

Responsibility

Web Administrator

A global authorization rule to restrict access must exist on the web server.

Finding ID
WA000-WI6120
Rule ID
SV-32657r2_rule
Severity
Cat III
CCE
(None)
Group Title
WA000-WI6120
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access to the necessary security principals. Configuring a global Authorization rule that restricts access ensures inheritance of the settings down through the hierarchy of web directories. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of unauthorized access.

Fix Text

1. Open the IIS Manager. 2. Click the Server. 3. Double-click the Authorization Rules icon. 4. Remove all users other than Administrator.

Check Content

1. Open the IIS Manager. 2. Click the Server. 3. Double-click the Authorization Rules icon. 4. If any user other then Administrator is listed, this is a finding.

Responsibility

Web Administrator