Web Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The web server must provide install options to exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer...Rule Medium Severity -
The web server must allow the mappings to unused and vulnerable scripts to be removed.
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operat...Rule Medium Severity -
The web server must have Web Distributed Authoring (WebDAV) disabled.
A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to ...Rule Medium Severity -
The web server must be configured to use a specified IP address and port.
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addres...Rule Medium Severity -
The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
A web server utilizing mobile code must meet DoD-defined mobile code requirements.
Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more ...Rule Medium Severity -
The web server must accept only system-generated session identifiers.
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a sessi...Rule Medium Severity -
The web server must generate unique session identifiers that cannot be reliably reproduced.
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a sessi...Rule Medium Severity -
The web server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly availa...Rule Medium Severity -
The web server must limit the character set used for data entry.
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unantici...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.