Web Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The web server must perform server-side session management.
Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this data can occur on the client system or on the server. When the sessio...Rule Medium Severity -
The web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionali...Rule Medium Severity -
The web server must produce log records containing sufficient information to establish what type of events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. For web servers, events...Rule Medium Severity -
The web server must produce log records containing sufficient information to establish where within the web server the events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
The web server must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the succes...Rule Medium Severity -
The web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user account...Rule Medium Severity -
Web server log files must only be accessible by privileged users.
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activ...Rule Medium Severity -
The log information from the web server must be protected from unauthorized deletion.
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risk...Rule Medium Severity -
The web server must not be a proxy server.
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy r...Rule Medium Severity -
The web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production w...Rule Medium Severity -
The web server must provide install options to exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer...Rule Medium Severity -
The web server must allow the mappings to unused and vulnerable scripts to be removed.
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operat...Rule Medium Severity -
The web server must have Web Distributed Authoring (WebDAV) disabled.
A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to ...Rule Medium Severity -
The web server must be configured to use a specified IP address and port.
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addres...Rule Medium Severity -
The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
A web server utilizing mobile code must meet DoD-defined mobile code requirements.
Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more ...Rule Medium Severity -
The web server must accept only system-generated session identifiers.
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a sessi...Rule Medium Severity -
The web server must generate unique session identifiers that cannot be reliably reproduced.
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a sessi...Rule Medium Severity -
The web server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly availa...Rule Medium Severity -
The web server must limit the character set used for data entry.
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unantici...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.