Web Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The web server must perform server-side session management.
Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this data can occur on the client system or on the server. When the sessio...Rule Medium Severity -
The web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionali...Rule Medium Severity -
The web server must produce log records containing sufficient information to establish what type of events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. For web servers, events...Rule Medium Severity -
The web server must produce log records containing sufficient information to establish where within the web server the events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
The web server must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the succes...Rule Medium Severity -
The web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user account...Rule Medium Severity -
Web server log files must only be accessible by privileged users.
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activ...Rule Medium Severity -
The log information from the web server must be protected from unauthorized deletion.
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risk...Rule Medium Severity -
The web server must not be a proxy server.
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy r...Rule Medium Severity -
The web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production w...Rule Medium Severity -
The web server must provide install options to exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer...Rule Medium Severity -
The web server must allow the mappings to unused and vulnerable scripts to be removed.
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operat...Rule Medium Severity -
The web server must have Web Distributed Authoring (WebDAV) disabled.
A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to ...Rule Medium Severity -
The web server must be configured to use a specified IP address and port.
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addres...Rule Medium Severity -
The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
A web server utilizing mobile code must meet DoD-defined mobile code requirements.
Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more ...Rule Medium Severity -
The web server must accept only system-generated session identifiers.
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a sessi...Rule Medium Severity -
The web server must generate unique session identifiers that cannot be reliably reproduced.
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a sessi...Rule Medium Severity -
The web server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly availa...Rule Medium Severity -
The web server must limit the character set used for data entry.
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unantici...Rule Medium Severity -
The web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an i...Rule Medium Severity -
The web server must set an inactive timeout for sessions.
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By cl...Rule Medium Severity -
The web server must restrict inbound connections from nonsecure zones.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.
By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged accou...Rule Medium Severity -
The web server must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record ...Rule Medium Severity -
The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the lo...Rule Medium Severity -
The web server application, libraries, and configuration files must only be accessible to privileged users.
A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the pote...Rule Medium Severity -
The web server must only accept client certificates (user and machine) issued by DOD PKI or DOD-approved PKI Certificate Authorities (CAs).
Non-DOD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DOD systems to rely on the identity assert...Rule Medium Severity -
The web server must be tuned to handle the operational requirements of the hosted application.
A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a Do...Rule Medium Severity -
Web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.
A cookie is used when a web server needs to share data with the client's browser. The data is often used to remember the client when the client returns to the hosted application at a later date. A ...Rule Medium Severity -
Cookies exchanged between the web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.
Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the trans...Rule Medium Severity -
The web server must maintain the confidentiality and integrity of information during preparation for transmission.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...Rule Medium Severity -
The web server must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (incl...Rule Medium Severity -
The web server must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit log...Rule Medium Severity -
The web server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihoo...Rule Medium Severity -
The web server must, for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
The web server must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
The web server must, for password-based authentication, enforce organization-defined composition and complexity rules.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
The web server must synchronize system clocks within and between systems or system components.
Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day...Rule Medium Severity -
The web server must use HTTP/2, at a minimum.
HTTP/2, like HTTPS, enhances security compared to HTTP/1.x by minimizing the risk of header-based attacks (e.g., header injection and manipulation). Websites that fully utilize HTTP/2 are inherent...Rule Medium Severity -
SRG-APP-000089
Group -
The web server must implement the capability to centrally review and analyze audit records from multiple components within the system.
Automated mechanisms for centralized reviews and analyses include security information and event management products.Rule Medium Severity -
SRG-APP-000795
Group -
SRG-APP-000001
Group -
The web server must limit the number of allowed simultaneous session requests.
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limit...Rule Medium Severity -
SRG-APP-000001
Group -
SRG-APP-000014
Group -
The web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption use...Rule Medium Severity -
SRG-APP-000015
Group -
The web server must use cryptography to protect the integrity of remote sessions.
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.