Web Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an i...Rule Medium Severity -
The web server must set an inactive timeout for sessions.
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By cl...Rule Medium Severity -
The web server must restrict inbound connections from nonsecure zones.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.
By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged accou...Rule Medium Severity -
The web server must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record ...Rule Medium Severity -
The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the lo...Rule Medium Severity -
The web server application, libraries, and configuration files must only be accessible to privileged users.
A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the pote...Rule Medium Severity -
The web server must only accept client certificates (user and machine) issued by DOD PKI or DOD-approved PKI Certificate Authorities (CAs).
Non-DOD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DOD systems to rely on the identity assert...Rule Medium Severity -
The web server must be tuned to handle the operational requirements of the hosted application.
A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a Do...Rule Medium Severity -
Web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.
A cookie is used when a web server needs to share data with the client's browser. The data is often used to remember the client when the client returns to the hosted application at a later date. A ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.