VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V2R1

Published: 2021-06-23

Updated At: 2021-08-02 18:13:00

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-240725r673919_rule VRAU-TC-000005 CCI-000054 MEDIUM tc Server HORIZON must limit the number of maximum concurrent connections permitted. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a sy
    SV-240726r673922_rule VRAU-TC-000010 CCI-000054 MEDIUM tc Server VCO must limit the number of maximum concurrent connections permitted. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a sy
    SV-240727r673925_rule VRAU-TC-000015 CCI-000054 MEDIUM tc Server VCAC must limit the number of maximum concurrent connections permitted. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a sy
    SV-240728r673928_rule VRAU-TC-000020 CCI-000054 MEDIUM tc Server HORIZON must limit the amount of time that each TCP connection is kept alive. Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the
    SV-240729r673931_rule VRAU-TC-000025 CCI-000054 MEDIUM tc Server VCO must limit the amount of time that each TCP connection is kept alive. Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the
    SV-240730r673934_rule VRAU-TC-000030 CCI-000054 MEDIUM tc Server VCAC must limit the amount of time that each TCP connection is kept alive. Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the
    SV-240731r673937_rule VRAU-TC-000035 CCI-000054 MEDIUM tc Server HORIZON must limit the number of times that each TCP connection is kept alive. KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subs
    SV-240732r673940_rule VRAU-TC-000040 CCI-000054 MEDIUM tc Server VCO must limit the number of times that each TCP connection is kept alive. KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subs
    SV-240733r673943_rule VRAU-TC-000045 CCI-000054 MEDIUM tc Server VCAC must limit the number of times that each TCP connection is kept alive. KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subs
    SV-240734r673946_rule VRAU-TC-000050 CCI-000054 MEDIUM tc Server HORIZON must perform server-side session management. Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the serv
    SV-240735r673949_rule VRAU-TC-000055 CCI-000054 MEDIUM tc Server VCO must perform server-side session management. Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the serv
    SV-240736r673952_rule VRAU-TC-000060 CCI-000054 MEDIUM tc Server VCAC must perform server-side session management. Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the serv
    SV-240737r674392_rule VRAU-TC-000065 CCI-000068 MEDIUM tc Server HORIZON must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Proce
    SV-240738r674394_rule VRAU-TC-000070 CCI-000068 MEDIUM tc Server VCAC must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Proce
    SV-240739r673961_rule VRAU-TC-000075 CCI-001453 MEDIUM tc Server HORIZON must use cryptography to protect the integrity of remote sessions. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-240740r673964_rule VRAU-TC-000080 CCI-001453 MEDIUM tc Server VCAC must use cryptography to protect the integrity of remote sessions. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-240741r674396_rule VRAU-TC-000085 CCI-000067 MEDIUM tc Server HORIZON must record user access in a format that enables monitoring of remote access. Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configure
    SV-240742r674398_rule VRAU-TC-000090 CCI-000067 MEDIUM tc Server VCO must record user access in a format that enables monitoring of remote access. Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configure
    SV-240743r674400_rule VRAU-TC-000095 CCI-000067 MEDIUM tc Server VCAC must record user access in a format that enables monitoring of remote access. Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configure
    SV-240744r674402_rule VRAU-TC-000105 CCI-000169 MEDIUM tc Server ALL must generate log records for system startup and shutdown. Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a servi
    SV-240745r674404_rule VRAU-TC-000110 CCI-000169 MEDIUM tc Server HORIZON must generate log records for user access and authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-240746r674406_rule VRAU-TC-000115 CCI-000169 MEDIUM tc Server VCO must generate log records for user access and authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-240747r674408_rule VRAU-TC-000120 CCI-000169 MEDIUM tc Server VCAC must generate log records for user access and authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-240748r674410_rule VRAU-TC-000125 CCI-001464 MEDIUM tc Server ALL must initiate logging during service start-up. An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To assure all logable events a
    SV-240749r673991_rule VRAU-TC-000145 CCI-000130 MEDIUM tc Server HORIZON must produce log records containing sufficient information to establish what type of events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically proces
    SV-240750r673994_rule VRAU-TC-000150 CCI-000130 MEDIUM tc Server VCO must produce log records containing sufficient information to establish what type of events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically proces
    SV-240751r673997_rule VRAU-TC-000155 CCI-000130 MEDIUM tc Server VCAC must produce log records containing sufficient information to establish what type of events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically proces
    SV-240752r674000_rule VRAU-TC-000160 CCI-000131 MEDIUM tc Server HORIZON must produce log records containing sufficient information to establish when (date and time) events occurred. After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can b
    SV-240753r674003_rule VRAU-TC-000165 CCI-000131 MEDIUM tc Server VCO must produce log records containing sufficient information to establish when (date and time) events occurred. After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can b
    SV-240754r674006_rule VRAU-TC-000170 CCI-000131 MEDIUM tc Server VCAC must produce log records containing sufficient information to establish when (date and time) events occurred. After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can b
    SV-240755r674009_rule VRAU-TC-000175 CCI-000132 MEDIUM tc Server HORIZON must produce log records containing sufficient information to establish where within the web server the events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240756r674012_rule VRAU-TC-000180 CCI-000132 MEDIUM tc Server VCO must produce log records containing sufficient information to establish where within the web server the events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240757r674015_rule VRAU-TC-000185 CCI-000132 MEDIUM tc Server VCAC must produce log records containing sufficient information to establish where within the web server the events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240758r674018_rule VRAU-TC-000190 CCI-000133 MEDIUM tc Server HORIZON must produce log records containing sufficient information to establish the source of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240759r674021_rule VRAU-TC-000195 CCI-000133 MEDIUM tc Server VCO must produce log records containing sufficient information to establish the source of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240760r674024_rule VRAU-TC-000200 CCI-000133 MEDIUM tc Server VCAC must produce log records containing sufficient information to establish the source of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240761r674412_rule VRAU-TC-000205 CCI-000133 MEDIUM tc Server HORIZON must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is importan
    SV-240762r674030_rule VRAU-TC-000210 CCI-000133 MEDIUM tc Server VCO must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is importan
    SV-240763r674414_rule VRAU-TC-000215 CCI-000133 MEDIUM tc Server VCAC must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. tc Server VCAC logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important d
    SV-240764r674416_rule VRAU-TC-000220 CCI-000134 MEDIUM tc Server HORIZON must produce log records that contain sufficient information to establish the outcome (success or failure) of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240765r674418_rule VRAU-TC-000225 CCI-000134 MEDIUM tc Server VCO must produce log records that contain sufficient information to establish the outcome (success or failure) of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240766r674420_rule VRAU-TC-000230 CCI-000134 MEDIUM tc Server VCAC must produce log records that contain sufficient information to establish the outcome (success or failure) of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240767r674045_rule VRAU-TC-000235 CCI-001487 MEDIUM tc Server HORIZON must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240768r674048_rule VRAU-TC-000240 CCI-001487 MEDIUM tc Server VCO must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240769r674051_rule VRAU-TC-000245 CCI-001487 MEDIUM tc Server VCAC must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain informatio
    SV-240770r674422_rule VRAU-TC-000250 CCI-000139 MEDIUM tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure. Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily administrative duties on the hosted system or within the hosted ap
    SV-240771r674057_rule VRAU-TC-000260 CCI-000162 MEDIUM tc Server HORIZON log files must only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-240772r674060_rule VRAU-TC-000265 CCI-000162 MEDIUM tc Server VCO log files must only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-240773r674063_rule VRAU-TC-000270 CCI-000162 MEDIUM tc Server VCAC log files must only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-240774r674424_rule VRAU-TC-000275 CCI-000163 MEDIUM tc Server HORIZON log files must be protected from unauthorized modification. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-240775r674069_rule VRAU-TC-000280 CCI-000163 MEDIUM tc Server VCO log files must be protected from unauthorized modification. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-240776r674072_rule VRAU-TC-000285 CCI-000163 MEDIUM tc Server VCAC log files must be protected from unauthorized modification. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-240777r674075_rule VRAU-TC-000290 CCI-000164 MEDIUM tc Server HORIZON log files must be protected from unauthorized deletion. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-240778r674078_rule VRAU-TC-000295 CCI-000164 MEDIUM tc Server VCO log files must be protected from unauthorized deletion. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-240779r674081_rule VRAU-TC-000300 CCI-000164 MEDIUM tc Server VCAC log files must be protected from unauthorized deletion. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-240780r674084_rule VRAU-TC-000305 CCI-001348 MEDIUM tc Server ALL log data and records must be backed up onto a different system or media. Protection of tc Server ALL log data includes assuring log data is not accidentally lost or deleted. Backing up tc Server ALL log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure t
    SV-240781r674426_rule VRAU-TC-000310 CCI-001749 MEDIUM tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server. Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. VMware delivers product updates and patches
    SV-240782r674428_rule VRAU-TC-000315 CCI-001749 MEDIUM tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server. In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on a functional production website entails a degree of trial
    SV-240783r674093_rule VRAU-TC-000320 CCI-000381 MEDIUM tc Server HORIZON must not use the tomcat-users XML database for user management. User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configu
    SV-240784r674096_rule VRAU-TC-000325 CCI-000381 MEDIUM tc Server VCO must not use the tomcat-users XML database for user management. User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configu
    SV-240785r674099_rule VRAU-TC-000330 CCI-000381 MEDIUM tc Server VCAC must not use the tomcat-users XML database for user management. User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configu
    SV-240786r674430_rule VRAU-TC-000335 CCI-000381 MEDIUM tc Server ALL must only contain services and functions necessary for operation. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-240787r674432_rule VRAU-TC-000345 CCI-000381 HIGH tc Server ALL must exclude documentation, sample code, example applications, and tutorials. Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationa
    SV-240788r674470_rule VRAU-TC-000355 CCI-000381 MEDIUM tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation. Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and g
    SV-240789r674111_rule VRAU-TC-000360 CCI-000381 MEDIUM tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too
    SV-240790r674114_rule VRAU-TC-000365 CCI-000381 MEDIUM tc Server ALL must have all mappings to unused and vulnerable scripts to be removed. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-240791r674117_rule VRAU-TC-000370 CCI-000381 MEDIUM tc Server HORIZON must have mappings set for Java Servlet Pages. Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can
    SV-240792r674120_rule VRAU-TC-000375 CCI-000381 MEDIUM tc Server VCO must have mappings set for Java Servlet Pages. Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can
    SV-240793r674123_rule VRAU-TC-000380 CCI-000381 MEDIUM tc Server VCAC must have mappings set for Java Servlet Pages. Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can
    SV-240794r674126_rule VRAU-TC-000385 CCI-000381 MEDIUM tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed. A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a ser
    SV-240795r674129_rule VRAU-TC-000390 CCI-000381 MEDIUM tc Server HORIZON must be configured with memory leak protection. The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources that will lead to OutOfMemoryErrors when reloading web applications. M
    SV-240796r674132_rule VRAU-TC-000395 CCI-000381 MEDIUM tc Server VCO must be configured with memory leak protection. The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources that will lead to OutOfMemoryErrors when reloading web applications. M
    SV-240797r674135_rule VRAU-TC-000400 CCI-000381 MEDIUM tc Server VCAC must be configured with memory leak protection. The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server VCAC can continue to consume system resources that will lead to OutOfMemoryErrors when reloading web applications. Memo
    SV-240798r674138_rule VRAU-TC-000410 CCI-000381 MEDIUM tc Server VCO must not have any symbolic links in the web content directory tree. A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and application
    SV-240799r674141_rule VRAU-TC-000420 CCI-000382 MEDIUM tc Server HORIZON must be configured to use a specified IP address and port. The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has
    SV-240800r674144_rule VRAU-TC-000425 CCI-000382 MEDIUM tc Server VCO must be configured to use a specified IP address and port. The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has
    SV-240801r674147_rule VRAU-TC-000430 CCI-000382 MEDIUM tc Server VCAC must be configured to use a specified IP address and port. The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has
    SV-240802r674150_rule VRAU-TC-000435 CCI-000197 MEDIUM tc Server HORIZON must encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-240803r674153_rule VRAU-TC-000440 CCI-000197 MEDIUM tc Server VCAC must encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-240804r674434_rule VRAU-TC-000445 CCI-000185 MEDIUM tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying
    SV-240805r674472_rule VRAU-TC-000450 CCI-000186 MEDIUM tc Server ALL must only allow authenticated system administrators to have access to the keystore. The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can prete
    SV-240806r674436_rule VRAU-TC-000460 CCI-000803 MEDIUM tc Server HORIZON must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-240807r674438_rule VRAU-TC-000465 CCI-000803 MEDIUM tc Server VCAC must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-240808r674168_rule VRAU-TC-000475 CCI-001082 HIGH tc Server HORIZON accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also b
    SV-240809r674171_rule VRAU-TC-000480 CCI-001082 HIGH tc Server VCO accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also b
    SV-240810r674174_rule VRAU-TC-000485 CCI-001082 HIGH tc Server VCAC accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also b
    SV-240811r674177_rule VRAU-TC-000490 CCI-001082 HIGH tc Server HORIZON web server application directories must not be accessible to anonymous user. In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing an
    SV-240812r674180_rule VRAU-TC-000495 CCI-001082 HIGH tc Server VCO web server application directories must not be accessible to anonymous user. In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing an
    SV-240813r674183_rule VRAU-TC-000500 CCI-001082 HIGH tc Server VCAC web server application directories must not be accessible to anonymous user. In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing an
    SV-240814r674186_rule VRAU-TC-000550 CCI-001190 MEDIUM tc Server ALL baseline must be documented and maintained. Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the possibility for security risks. The web server must offer,
    SV-240815r674189_rule VRAU-TC-000555 CCI-001190 MEDIUM tc Server HORIZON must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for fai
    SV-240816r674192_rule VRAU-TC-000560 CCI-001190 MEDIUM tc Server VCO must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for fai
    SV-240817r674195_rule VRAU-TC-000565 CCI-001190 MEDIUM tc Server VCAC must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for fai
    SV-240818r674198_rule VRAU-TC-000580 CCI-001084 MEDIUM tc Server HORIZON document directory must be in a separate partition from the web servers system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-240819r674201_rule VRAU-TC-000585 CCI-001084 MEDIUM tc Server VCO document directory must be in a separate partition from the web servers system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-240820r674204_rule VRAU-TC-000590 CCI-001084 MEDIUM tc Server VCAC document directory must be in a separate partition from the web servers system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-240824r674216_rule VRAU-TC-000610 CCI-001310 MEDIUM tc Server HORIZON must set URIEncoding to UTF-8. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-240825r674219_rule VRAU-TC-000615 CCI-001310 MEDIUM tc Server VCO must set URIEncoding to UTF-8. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-240826r674222_rule VRAU-TC-000620 CCI-001310 MEDIUM tc Server HORIZON must use the setCharacterEncodingFilter filter. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-240827r674225_rule VRAU-TC-000625 CCI-001310 MEDIUM tc Server VCO must use the setCharacterEncodingFilter filter. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-240828r674228_rule VRAU-TC-000630 CCI-001310 MEDIUM tc Server VCAC must set URIEncoding to UTF-8. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-240829r674231_rule VRAU-TC-000635 CCI-001310 MEDIUM tc Server VCAC must use the setCharacterEncodingFilter filter. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-240830r674234_rule VRAU-TC-000640 CCI-001312 MEDIUM tc Server HORIZON must set the welcome-file node to a default web page. The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this
    SV-240831r674237_rule VRAU-TC-000645 CCI-001312 MEDIUM tc Server VCO must set the welcome-file node to a default web page. The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this
    SV-240832r674240_rule VRAU-TC-000650 CCI-001312 MEDIUM tc Server VCAC must set the welcome-file node to a default web page. The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this
    SV-240833r674243_rule VRAU-TC-000660 CCI-001312 MEDIUM tc Server HORIZON must have the allowTrace parameter set to false. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-240834r674246_rule VRAU-TC-000665 CCI-001312 MEDIUM tc Server VCO must have the allowTrace parameter set to false. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-240835r674249_rule VRAU-TC-000670 CCI-001312 MEDIUM tc Server VCAC must have the allowTrace parameter set to false. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-240836r674252_rule VRAU-TC-000675 CCI-001312 MEDIUM tc Server HORIZON must have the debug option turned off. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-240837r674255_rule VRAU-TC-000680 CCI-001312 MEDIUM tc Server VCO must have the debug option turned off. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-240838r674258_rule VRAU-TC-000685 CCI-001312 MEDIUM tc Server VCAC must have the debug option turned off. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-240839r674261_rule VRAU-TC-000695 CCI-002361 MEDIUM tc Server HORIZON must set an inactive timeout for sessions. Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web s
    SV-240840r674264_rule VRAU-TC-000700 CCI-002361 MEDIUM tc Server VCO must set an inactive timeout for sessions. Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web s
    SV-240841r674267_rule VRAU-TC-000705 CCI-002361 MEDIUM tc Server VCAC must set an inactive timeout for sessions. Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web s
    SV-240842r674440_rule VRAU-TC-000710 CCI-002314 HIGH tc Server ALL must be configured to the correct user authentication source. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-240843r674273_rule VRAU-TC-000715 CCI-002314 MEDIUM tc Server HORIZON must be configured to use the https scheme. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the
    SV-240844r674276_rule VRAU-TC-000720 CCI-002314 MEDIUM tc Server VCAC must be configured to use the https scheme. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the
    SV-240845r674279_rule VRAU-TC-000740 CCI-001849 MEDIUM tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server. In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record storage capacity. The task of allocating log record stor
    SV-240846r674474_rule VRAU-TC-000750 CCI-001851 MEDIUM tc Server ALL log files must be moved to a permanent repository in accordance with site policy. A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensur
    SV-240847r674442_rule VRAU-TC-000755 CCI-001855 MEDIUM tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being rea
    SV-240848r674444_rule VRAU-TC-000760 CCI-001890 MEDIUM tc Server HORIZON must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expre
    SV-240849r674446_rule VRAU-TC-000765 CCI-001890 MEDIUM tc Server VCO must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expre
    SV-240850r674448_rule VRAU-TC-000770 CCI-001890 MEDIUM tc Server VCAC must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expre
    SV-240851r674450_rule VRAU-TC-000775 CCI-001889 MEDIUM tc Server HORIZON must record time stamps for log records to a minimum granularity of one second. Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers
    SV-240852r674452_rule VRAU-TC-000780 CCI-001889 MEDIUM tc Server VCO must record time stamps for log records to a minimum granularity of one second. Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers
    SV-240853r674454_rule VRAU-TC-000785 CCI-001889 MEDIUM tc Server VCAC must record time stamps for log records to a minimum granularity of one second. Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers
    SV-240854r674306_rule VRAU-TC-000790 CCI-001813 MEDIUM tc Server HORIZON application, libraries, and configuration files must only be accessible to privileged users. A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server inst
    SV-240855r674309_rule VRAU-TC-000795 CCI-001813 MEDIUM tc Server VCO application, libraries, and configuration files must only be accessible to privileged users. A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server inst
    SV-240856r674312_rule VRAU-TC-000800 CCI-001813 MEDIUM tc Server VCAC application, libraries, and configuration files must only be accessible to privileged users. A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server inst
    SV-240857r674456_rule VRAU-TC-000805 CCI-001762 MEDIUM tc Server HORIZON must be configured with the appropriate ports. Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or de
    SV-240858r674458_rule VRAU-TC-000810 CCI-001762 MEDIUM tc Server VCO must be configured with the appropriate ports. Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or de
    SV-240859r674460_rule VRAU-TC-000815 CCI-001762 MEDIUM tc Server VCAC must be configured with the appropriate ports. Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or de
    SV-240860r674462_rule VRAU-TC-000820 CCI-002450 MEDIUM tc Server HORIZON must use NSA Suite A cryptography when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for pr
    SV-240861r674464_rule VRAU-TC-000825 CCI-002450 MEDIUM tc Server VCAC must use NSA Suite A cryptography when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for pr
    SV-240862r674330_rule VRAU-TC-000840 CCI-002385 MEDIUM tc Server HORIZON must disable the shutdown port. An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a sh
    SV-240863r674333_rule VRAU-TC-000845 CCI-002385 MEDIUM tc Server VCO must disable the shutdown port. An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a sh
    SV-240864r674336_rule VRAU-TC-000850 CCI-002385 MEDIUM tc Server VCAC must disable the shutdown port. An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a sh
    SV-240865r674339_rule VRAU-TC-000860 CCI-002418 MEDIUM tc Server HORIZON must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-240866r674342_rule VRAU-TC-000865 CCI-002418 MEDIUM tc Server VCAC must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-240867r674345_rule VRAU-TC-000870 CCI-002418 MEDIUM tc Server HORIZON session IDs must be sent to the client using SSL/TLS. The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session c
    SV-240868r674348_rule VRAU-TC-000875 CCI-002418 MEDIUM tc Server VCAC session IDs must be sent to the client using SSL/TLS. The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session c
    SV-240869r674351_rule VRAU-TC-000885 CCI-002418 MEDIUM tc Server HORIZON must set the useHttpOnly parameter. A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts th
    SV-240870r674354_rule VRAU-TC-000890 CCI-002418 MEDIUM tc Server VCO must set the useHttpOnly parameter. A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts th
    SV-240871r674357_rule VRAU-TC-000895 CCI-002418 MEDIUM tc Server VCAC must set the useHttpOnly parameter. A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts th
    SV-240872r674360_rule VRAU-TC-000900 CCI-002418 MEDIUM tc Server HORIZON must set the secure flag for cookies. Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session
    SV-240873r674363_rule VRAU-TC-000905 CCI-002418 MEDIUM tc Server VCO must set the secure flag for cookies. Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session
    SV-240874r674366_rule VRAU-TC-000910 CCI-002418 MEDIUM tc Server VCAC must set the secure flag for cookies. Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session
    SV-240875r674369_rule VRAU-TC-000915 CCI-002418 HIGH tc Server HORIZON must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-240876r674372_rule VRAU-TC-000920 CCI-002418 HIGH tc Server VCAC must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-240877r674375_rule VRAU-TC-000925 CCI-002418 MEDIUM tc Server HORIZON must remove all export ciphers to protect the confidentiality and integrity of transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the cl
    SV-240878r674378_rule VRAU-TC-000930 CCI-002418 MEDIUM tc Server VCAC must remove all export ciphers to protect the confidentiality and integrity of transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the cl
    SV-240879r674381_rule VRAU-TC-000940 CCI-002422 MEDIUM tc Server HORIZON must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-240880r674384_rule VRAU-TC-000945 CCI-002422 MEDIUM tc Server VCAC must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-240881r674466_rule VRAU-TC-000950 CCI-002605 MEDIUM tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source. Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to
    SV-240882r674468_rule VRAU-TC-000960 CCI-000366 MEDIUM tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive secu