Application Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The application server must perform RFC 5280-compliant certification path validation.
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to mak...Rule Medium Severity -
Only authenticated system administrators or the designated PKI Sponsor for the application server must have access to the web servers private key.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiati...Rule Medium Severity -
The application server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
To prevent the compromise of authentication information during the authentication process, the application server authentication screens must obfuscate input so an unauthorized user cannot view a p...Rule Medium Severity -
The application server must provide a log reduction capability that supports on-demand reporting requirements.
The ability to generate on-demand reports, including after the log data has been subjected to log reduction, greatly facilitates the organization's ability to generate incident reports as needed to...Rule Medium Severity -
The application server must separate hosted application functionality from application server management functionality.
The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged use...Rule Medium Severity -
The application server must be configured to mutually authenticate connecting proxies, application servers or gateways.
Application architecture may sometimes require a configuration where an application server is placed behind a web proxy, an application gateway or communicates directly with another application ser...Rule Medium Severity -
The application server must generate a unique session identifier using a FIPS 140-2 approved random number generator.
The application server will use session IDs to communicate between modules or applications within the application server and between the application server and users. The session ID allows the app...Rule High Severity -
The application server must protect the confidentiality and integrity of all information at rest.
When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and da...Rule Medium Severity -
The application server must check the validity of all data inputs to the management interface, except those specifically identified by the organization.
Invalid user input occurs when a user inserts data or characters into an applications data entry field and the application is unprepared to process that data. This results in unanticipated applicat...Rule Medium Severity -
The application server must identify potentially security-relevant error conditions.
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administra...Rule Medium Severity -
The application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and c...Rule Medium Severity -
The application server must automatically terminate a user session after organization-defined conditions or trigger events requiring a session disconnect.
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application se...Rule Medium Severity -
The application server management interface must provide a logout capability for user-initiated communication session.
If a user cannot explicitly end an application server management interface session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. The attack...Rule Medium Severity -
The application server must associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
The application server provides a framework for applications to communicate between each other to form an overall well-designed application to perform a task. As the information traverses the appl...Rule Medium Severity -
The application server must control remote access methods.
Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requiremen...Rule Medium Severity -
The application server must off-load log records onto a different system or media from the system being logged.
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to...Rule Medium Severity -
The application server must record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Tim...Rule Medium Severity -
The application server must enforce access restrictions associated with changes to application server configuration.
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant eff...Rule Medium Severity -
The application server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the fu...Rule Medium Severity -
The application server must accept Personal Identity Verification (PIV) credentials to access the management interface.
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. PIV credentials are only used in an unclassified environment. DoD has mandated the use of the C...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.