Web Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000016
Group -
The web server must generate information to be used by external applications or entities to monitor and control remote access.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
SRG-APP-000033
Group -
The web server must enforce approved authorizations for logical access to hosted applications and resources in accordance with applicable access control policies.
To control access to sensitive information and hosted applications by entities that have been issued certificates by DoD-approved PKIs, the web server must be properly configured to incorporate a m...Rule Medium Severity -
SRG-APP-000092
Group -
The web server must initiate session logging upon start up.
An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available durin...Rule Medium Severity -
SRG-APP-000095
Group -
SRG-APP-000096
Group -
The web server must produce log records containing sufficient information to establish when (date and time) events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
SRG-APP-000097
Group -
The web server must only contain services and functions necessary for operation.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000098
Group -
The web server must produce log records containing sufficient information to establish the source of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
SRG-APP-000098
Group -
A web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
SRG-APP-000099
Group -
SRG-APP-000100
Group -
SRG-APP-000108
Group -
The web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily administ...Rule Medium Severity -
SRG-APP-000116
Group -
The web server must use the internal system clock to generate time stamps for log records.
Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct tim...Rule Medium Severity -
SRG-APP-000118
Group -
SRG-APP-000119
Group -
The log information from the web server must be protected from unauthorized modification.
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risk...Rule Medium Severity -
SRG-APP-000120
Group -
SRG-APP-000125
Group -
The log data and records from the web server must be backed up onto a different system or media.
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actuall...Rule Medium Severity -
SRG-APP-000131
Group -
All web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and nonrepudiation of the in...Rule Medium Severity -
SRG-APP-000131
Group -
Expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on ...Rule Medium Severity -
SRG-APP-000141
Group -
The web server must not perform user management for hosted applications.
User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tas...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000141
Group -
SRG-APP-000141
Group -
Web server accounts not utilized by installed features (i.e., tools, utilities, specific services, etc.) must not be created and must be deleted when the web server feature is uninstalled.
When accounts used for web server features such as documentation, sample code, example applications, tutorials, utilities, and services are created even though the feature is not installed, they be...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000141
Group -
The web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the h...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000141
Group -
The web server must have resource mappings set to disable the serving of certain file types.
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000141
Group -
The web server must protect system resources and privileged operations from hosted applications.
A web server may host one too many applications. Each application will need certain system resources and privileged operations to operate correctly. The web server must be configured to contain a...Rule Medium Severity -
SRG-APP-000141
Group -
Users and scripts running on behalf of users must be contained to the document root or home directory tree of the web server.
A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web applic...Rule Medium Severity -
SRG-APP-000142
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.