All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.

Description

<VulnDiscussion>Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Delete all directories that contain samples and any scripts used to execute the samples. If there is a requirement to maintain these directories at the site on non-production servers for training purposes, have NTFS permissions set to only allow access to authorized users (i.e., web administrators and systems administrators). Sample applications or scripts have not been evaluated and approved for use and may introduce vulnerabilities to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance>Any sample application or sample executable script found on the production web server will be a CAT I finding. Any web server documentation or sample file found on the production web server and accessible to web users or non-administrators will be a CAT III finding. Any web server documentation or sample file found on the production web server and accessible only to SAs or to web administrators is permissible and not a finding. </SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>Web Administrator</Responsibility><IAControls></IAControls>