Web Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000315
Group -
Remote access to the web server must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
SRG-APP-000315
Group -
SRG-APP-000316
Group -
The web server must provide the capability to immediately disconnect or disable remote access to the hosted applications.
During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. The web server must provide a ...Rule Medium Severity -
SRG-APP-000340
Group -
SRG-APP-000357
Group -
The web server must record time stamps for log records to a minimum granularity of one second.
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and mus...Rule Medium Severity -
SRG-APP-000380
Group -
SRG-APP-000358
Group -
The web server must not impede the ability to write specified log record content to an audit log server.
Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency i...Rule Medium Severity -
SRG-APP-000358
Group -
The web server must be configurable to integrate with an organizations security infrastructure.
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purpose...Rule Medium Severity -
SRG-APP-000359
Group -
SRG-APP-000374
Group -
The web server must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by th...Rule Medium Severity -
SRG-APP-000375
Group -
SRG-APP-000383
Group -
The web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. T...Rule Medium Severity -
SRG-APP-000427
Group -
SRG-APP-000429
Group -
The web server must encrypt user identifiers and passwords.
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and d...Rule High Severity -
SRG-APP-000435
Group -
The web server must be protected from being stopped by a non-privileged user.
An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. To prohibit an...Rule Medium Severity -
SRG-APP-000435
Group -
SRG-APP-000439
Group -
The web server must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmissio...Rule High Severity -
SRG-APP-000439
Group -
Web server session IDs must be sent to the client using SSL/TLS.
The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the sessi...Rule Medium Severity -
SRG-APP-000439
Group -
SRG-APP-000439
Group -
Cookies exchanged between the web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.
A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers coul...Rule Medium Severity -
SRG-APP-000439
Group -
The web server must disable accounts when the accounts are no longer associated to a user.
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.Rule Medium Severity -
SRG-APP-000745
Group -
SRG-APP-000439
Group -
A web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server...Rule Medium Severity -
SRG-APP-000439
Group -
The web server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with...Rule Medium Severity -
SRG-APP-000441
Group -
SRG-APP-000442
Group -
The web server must maintain the confidentiality and integrity of information during reception.
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/un...Rule Medium Severity -
SRG-APP-000456
Group -
SRG-APP-000516
Group -
All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.
During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, whic...Rule Medium Severity -
SRG-APP-000516
Group -
The web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security basel...Rule Medium Severity -
SRG-APP-000416
Group -
The web server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to ...Rule Medium Severity -
SRG-APP-000700
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.