VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2018-10-12

Updated At: 2018-11-03 10:32:14

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-99425r1_rule VROM-TC-000005 CCI-000054 MEDIUM tc Server UI must limit the number of maximum concurrent connections permitted. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Mitigating
    SV-99427r1_rule VROM-TC-000010 CCI-000054 MEDIUM tc Server CaSa must limit the number of maximum concurrent connections permitted. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Mitigating
    SV-99429r1_rule VROM-TC-000015 CCI-000054 MEDIUM tc Server API must limit the number of maximum concurrent connections permitted. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Mitigating
    SV-99431r1_rule VROM-TC-000020 CCI-000054 MEDIUM tc Server UI must limit the amount of time that each TCP connection is kept alive. Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the
    SV-99433r1_rule VROM-TC-000025 CCI-000054 MEDIUM tc Server CaSa must limit the amount of time that each TCP connection is kept alive. Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the
    SV-99435r1_rule VROM-TC-000030 CCI-000054 MEDIUM tc Server API must limit the amount of time that each TCP connection is kept alive. Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the
    SV-99437r1_rule VROM-TC-000035 CCI-000054 MEDIUM tc Server UI must limit the number of times that each TCP connection is kept alive. KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subs
    SV-99439r1_rule VROM-TC-000040 CCI-000054 MEDIUM tc Server CaSa must limit the number of times that each TCP connection is kept alive. KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subs
    SV-99441r1_rule VROM-TC-000045 CCI-000054 MEDIUM tc Server API must limit the number of times that each TCP connection is kept alive. KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subs
    SV-99443r1_rule VROM-TC-000050 CCI-000054 MEDIUM tc Server UI must perform server-side session management. Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the serve
    SV-99445r1_rule VROM-TC-000055 CCI-000054 MEDIUM tc Server CaSa must perform server-side session management. Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the serve
    SV-99447r1_rule VROM-TC-000060 CCI-000054 MEDIUM tc Server API must perform server-side session management. Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the serve
    SV-99449r1_rule VROM-TC-000065 CCI-000068 MEDIUM tc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Proce
    SV-99451r1_rule VROM-TC-000070 CCI-000068 MEDIUM tc Server CaSa must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Proce
    SV-99453r1_rule VROM-TC-000075 CCI-000068 MEDIUM tc Server API must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Proce
    SV-99455r1_rule VROM-TC-000080 CCI-001453 MEDIUM tc Server UI must use cryptography to protect the integrity of remote sessions. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-99457r1_rule VROM-TC-000085 CCI-001453 MEDIUM tc Server CaSa must use cryptography to protect the integrity of remote sessions. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-99459r1_rule VROM-TC-000090 CCI-001453 MEDIUM tc Server API must use cryptography to protect the integrity of remote sessions. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-99461r1_rule VROM-TC-000095 CCI-000067 MEDIUM tc Server UI must record user access in a format that enables monitoring of remote access. Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configure
    SV-99463r1_rule VROM-TC-000100 CCI-000067 MEDIUM tc Server CaSa must record user access in a format that enables monitoring of remote access. Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configure
    SV-99465r1_rule VROM-TC-000105 CCI-000067 MEDIUM tc Server API must record user access in a format that enables monitoring of remote access. Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configure
    SV-99467r1_rule VROM-TC-000115 CCI-000169 MEDIUM tc Server ALL must generate log records for system startup and shutdown. Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a servi
    SV-99469r1_rule VROM-TC-000120 CCI-000169 MEDIUM tc Server UI must generate log records for user access and authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-99471r1_rule VROM-TC-000125 CCI-000169 MEDIUM tc Server CaSa must generate log records for user access and authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-99473r1_rule VROM-TC-000130 CCI-000169 MEDIUM tc Server API must generate log records for user access and authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-99475r1_rule VROM-TC-000135 CCI-001464 MEDIUM tc Server ALL must initiate logging during service start-up. An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To assure all logable events a
    SV-99477r1_rule VROM-TC-000140 CCI-001462 MEDIUM tc Server UI must capture, record, and log all content related to a user session. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99479r1_rule VROM-TC-000145 CCI-001462 MEDIUM tc Server CaSa must capture, record, and log all content related to a user session. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99481r1_rule VROM-TC-000150 CCI-001462 MEDIUM tc Server API must capture, record, and log all content related to a user session. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99483r1_rule VROM-TC-000155 CCI-000130 MEDIUM tc Server UI must produce log records containing sufficient information to establish what type of events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically proces
    SV-99485r1_rule VROM-TC-000160 CCI-000130 MEDIUM tc Server CaSa must produce log records containing sufficient information to establish what type of events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically proces
    SV-99487r1_rule VROM-TC-000165 CCI-000130 MEDIUM tc Server API must produce log records containing sufficient information to establish what type of events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically proces
    SV-99489r1_rule VROM-TC-000170 CCI-000131 MEDIUM tc Server UI must produce log records containing sufficient information to establish when (date and time) events occurred. After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can b
    SV-99491r1_rule VROM-TC-000175 CCI-000131 MEDIUM tc Server CaSa must produce log records containing sufficient information to establish when (date and time) events occurred. After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can b
    SV-99493r1_rule VROM-TC-000180 CCI-000131 MEDIUM tc Server API must produce log records containing sufficient information to establish when (date and time) events occurred. After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can b
    SV-99495r1_rule VROM-TC-000185 CCI-000132 MEDIUM tc Server UI must produce log records containing sufficient information to establish where within the web server the events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99497r1_rule VROM-TC-000190 CCI-000132 MEDIUM tc Server CaSa must produce log records containing sufficient information to establish where within the web server the events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99499r1_rule VROM-TC-000195 CCI-000132 MEDIUM tc Server API must produce log records containing sufficient information to establish where within the web server the events occurred. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99501r1_rule VROM-TC-000200 CCI-000133 MEDIUM tc Server UI must produce log records containing sufficient information to establish the source of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99503r1_rule VROM-TC-000205 CCI-000133 MEDIUM tc Server CaSa must produce log records containing sufficient information to establish the source of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99505r1_rule VROM-TC-000210 CCI-000133 MEDIUM tc Server API must produce log records containing sufficient information to establish the source of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99507r1_rule VROM-TC-000215 CCI-000133 MEDIUM tc Server UI must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important
    SV-99509r1_rule VROM-TC-000220 CCI-000133 MEDIUM tc Server CaSa must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is importan
    SV-99511r1_rule VROM-TC-000225 CCI-000133 MEDIUM tc Server API must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important
    SV-99513r1_rule VROM-TC-000230 CCI-000134 MEDIUM tc Server UI must produce log records that contain sufficient information to establish the outcome (success or failure) of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99515r1_rule VROM-TC-000235 CCI-000134 MEDIUM tc Server CaSa must produce log records that contain sufficient information to establish the outcome (success or failure) of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99517r1_rule VROM-TC-000240 CCI-000134 MEDIUM tc Server API must produce log records that contain sufficient information to establish the outcome (success or failure) of events. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99519r1_rule VROM-TC-000245 CCI-001487 MEDIUM tc Server UI must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99521r1_rule VROM-TC-000250 CCI-001487 MEDIUM tc Server CaSa must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99523r1_rule VROM-TC-000255 CCI-001487 MEDIUM tc Server API must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information
    SV-99525r1_rule VROM-TC-000260 CCI-000139 MEDIUM tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure. Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily administrative duties on the hosted system or within the hosted ap
    SV-99527r1_rule VROM-TC-000270 CCI-000162 MEDIUM tc Server UI log files must only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-99529r1_rule VROM-TC-000275 CCI-000162 MEDIUM tc Server CaSa log files must only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-99531r1_rule VROM-TC-000280 CCI-000162 MEDIUM tc Server API log files must only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-99533r1_rule VROM-TC-000285 CCI-000163 MEDIUM tc Server UI log files must be protected from unauthorized modification. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-99535r1_rule VROM-TC-000290 CCI-000163 MEDIUM tc Server CaSa log files must be protected from unauthorized modification. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-99537r1_rule VROM-TC-000295 CCI-000163 MEDIUM tc Server API log files must be protected from unauthorized modification. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-99539r1_rule VROM-TC-000300 CCI-000164 MEDIUM tc Server UI log files must be protected from unauthorized deletion. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-99541r1_rule VROM-TC-000305 CCI-000164 MEDIUM tc Server CaSa log files must be protected from unauthorized deletion. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-99543r1_rule VROM-TC-000310 CCI-000164 MEDIUM tc Server API log files must be protected from unauthorized deletion. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-99545r1_rule VROM-TC-000315 CCI-001348 MEDIUM tc Server ALL log data and records must be backed up onto a different system or media. Protection of tc Server ALL log data includes assuring log data is not accidentally lost or deleted. Backing up tc Server ALL log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure t
    SV-99547r1_rule VROM-TC-000320 CCI-001749 MEDIUM tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server. Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. VMware delivers product updates and patches r
    SV-99549r1_rule VROM-TC-000325 CCI-001749 MEDIUM tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server. In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on a functional production website entails a degree of trial
    SV-99551r1_rule VROM-TC-000330 CCI-000381 MEDIUM tc Server UI must not use the tomcat-users XML database for user management. User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configu
    SV-99553r1_rule VROM-TC-000335 CCI-000381 MEDIUM tc Server CaSa must not use the tomcat-users XML database for user management. User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configu
    SV-99555r1_rule VROM-TC-000340 CCI-000381 MEDIUM tc Server API must not use the tomcat-users XML database for user management. User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configu
    SV-99557r1_rule VROM-TC-000345 CCI-000381 MEDIUM tc Server ALL must only contain services and functions necessary for operation. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-99559r1_rule VROM-TC-000355 CCI-000381 HIGH tc Server ALL must exclude documentation, sample code, example applications, and tutorials. Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationa
    SV-99561r1_rule VROM-TC-000365 CCI-000381 MEDIUM tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation. Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and g
    SV-99563r1_rule VROM-TC-000370 CCI-000381 MEDIUM tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too
    SV-99565r1_rule VROM-TC-000375 CCI-000381 MEDIUM tc Server ALL must have all mappings to unused and vulnerable scripts to be removed. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-99567r1_rule VROM-TC-000380 CCI-000381 MEDIUM tc Server UI must have mappings set for Java Servlet Pages. Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can
    SV-99569r1_rule VROM-TC-000385 CCI-000381 MEDIUM tc Server CaSa must have mappings set for Java Servlet Pages. Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can
    SV-99571r1_rule VROM-TC-000390 CCI-000381 MEDIUM tc Server API must have mappings set for Java Servlet Pages. Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can
    SV-99573r1_rule VROM-TC-000395 CCI-000381 MEDIUM tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed. A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a ser
    SV-99575r1_rule VROM-TC-000400 CCI-000381 MEDIUM tc Server UI must be configured with memory leak protection. The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will lead to OutOfMemoryErrors when re-loading web applications.
    SV-99577r1_rule VROM-TC-000405 CCI-000381 MEDIUM tc Server CaSa must be configured with memory leak protection. The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will lead to OutOfMemoryErrors when re-loading web applications.
    SV-99579r1_rule VROM-TC-000410 CCI-000381 MEDIUM tc Server API must be configured with memory leak protection. The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will lead to OutOfMemoryErrors when re-loading web applications.
    SV-99581r1_rule VROM-TC-000415 CCI-000381 HIGH tc Server UI must not have any symbolic links in the web content directory tree. A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and application
    SV-99583r1_rule VROM-TC-000420 CCI-000381 HIGH tc Server CaSa must not have any symbolic links in the web content directory tree. A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and application
    SV-99585r1_rule VROM-TC-000425 CCI-000381 HIGH tc Server API must not have any symbolic links in the web content directory tree. A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and application
    SV-99587r1_rule VROM-TC-000430 CCI-000382 MEDIUM tc Server UI must be configured to use a specified IP address and port. The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has
    SV-99589r1_rule VROM-TC-000435 CCI-000382 MEDIUM tc Server CaSa must be configured to use a specified IP address and port. The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has
    SV-99591r1_rule VROM-TC-000440 CCI-000382 MEDIUM tc Server API must be configured to use a specified IP address and port. The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has
    SV-99593r1_rule VROM-TC-000445 CCI-000197 MEDIUM tc Server UI must encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-99595r1_rule VROM-TC-000450 CCI-000197 MEDIUM tc Server CaSa must encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-99597r1_rule VROM-TC-000455 CCI-000197 MEDIUM tc Server API must encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-99599r1_rule VROM-TC-000460 CCI-000185 MEDIUM tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. If PKI is not being used, this check is Not Applicable. The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying
    SV-99601r1_rule VROM-TC-000465 CCI-000186 MEDIUM tc Server ALL must only allow authenticated system administrators to have access to the keystore. The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can prete
    SV-99603r1_rule VROM-TC-000470 CCI-000186 MEDIUM tc Server ALL must only allow authenticated system administrators to have access to the truststore. The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can prete
    SV-99605r1_rule VROM-TC-000480 CCI-000803 MEDIUM tc Server UI must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 1
    SV-99607r1_rule VROM-TC-000485 CCI-000803 MEDIUM tc Server CaSa must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 1
    SV-99609r1_rule VROM-TC-000490 CCI-000803 MEDIUM tc Server API must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 1
    SV-99611r1_rule VROM-TC-000500 CCI-001082 HIGH tc Server UI accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also b
    SV-99613r1_rule VROM-TC-000505 CCI-001082 HIGH tc Server CaSa accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also b
    SV-99615r1_rule VROM-TC-000510 CCI-001082 HIGH tc Server API accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also b
    SV-99617r1_rule VROM-TC-000515 CCI-001082 HIGH tc Server UI web server application directories must not be accessible to anonymous user. In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing an
    SV-99619r1_rule VROM-TC-000520 CCI-001082 HIGH tc Server CaSa web server application directories must not be accessible to anonymous user. In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing an
    SV-99621r1_rule VROM-TC-000525 CCI-001082 HIGH tc Server API web server application directories must not be accessible to anonymous user. In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing an
    SV-99623r1_rule VROM-TC-000575 CCI-001190 MEDIUM tc Server ALL baseline must be documented and maintained. Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the possibility for security risks. The web server must offer,
    SV-99625r1_rule VROM-TC-000580 CCI-001190 MEDIUM tc Server UI must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for fai
    SV-99627r1_rule VROM-TC-000585 CCI-001190 MEDIUM tc Server CaSa must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for fai
    SV-99629r1_rule VROM-TC-000590 CCI-001190 MEDIUM tc Server API must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for fai
    SV-99631r1_rule VROM-TC-000605 CCI-001084 MEDIUM tc Server UI document directory must be in a separate partition from the web servers system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-99633r1_rule VROM-TC-000610 CCI-001084 MEDIUM tc Server CaSa document directory must be in a separate partition from the web servers system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-99635r1_rule VROM-TC-000615 CCI-001084 MEDIUM tc Server API document directory must be in a separate partition from the web servers system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-99637r1_rule VROM-TC-000620 CCI-001094 MEDIUM tc Server UI must be configured with a cross-site scripting (XSS) filter. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by atta
    SV-99639r1_rule VROM-TC-000625 CCI-001094 MEDIUM tc Server CaSa must be configured with a cross-site scripting (XSS) filter. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by atta
    SV-99641r1_rule VROM-TC-000630 CCI-001094 MEDIUM tc Server API must be configured with a cross-site scripting (XSS) filter. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by atta
    SV-99643r1_rule VROM-TC-000635 CCI-001310 MEDIUM tc Server UI must set URIEncoding to UTF-8. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-99645r1_rule VROM-TC-000640 CCI-001310 MEDIUM tc Server CaSa must set URIEncoding to UTF-8. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-99647r1_rule VROM-TC-000645 CCI-001310 MEDIUM tc Server API must set URIEncoding to UTF-8. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-99649r1_rule VROM-TC-000650 CCI-001310 MEDIUM tc Server UI must use the setCharacterEncodingFilter filter. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-99651r1_rule VROM-TC-000655 CCI-001310 MEDIUM tc Server CaSa must use the setCharacterEncodingFilter filter. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-99653r1_rule VROM-TC-000660 CCI-001310 MEDIUM tc Server API must use the setCharacterEncodingFilter filter. Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an appl
    SV-99655r1_rule VROM-TC-000665 CCI-001312 MEDIUM tc Server UI must set the welcome-file node to a default web page. The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this
    SV-99657r1_rule VROM-TC-000670 CCI-001312 MEDIUM tc Server CaSa must set the welcome-file node to a default web page. The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this
    SV-99659r1_rule VROM-TC-000675 CCI-001312 MEDIUM tc Server API must set the welcome-file node to a default web page. The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this
    SV-99661r1_rule VROM-TC-000685 CCI-001312 MEDIUM tc Server UI must have the allowTrace parameter set to false. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and module
    SV-99663r1_rule VROM-TC-000690 CCI-001312 MEDIUM tc Server CaSa must have the allowTrace parameter set to false. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and module
    SV-99665r1_rule VROM-TC-000695 CCI-001312 MEDIUM tc Server API must have the allowTrace parameter set to false. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and module
    SV-99667r1_rule VROM-TC-000700 CCI-001312 MEDIUM tc Server UI must have the debug option turned off. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-99669r1_rule VROM-TC-000705 CCI-001312 MEDIUM tc Server CaSa must have the debug option turned off. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-99671r1_rule VROM-TC-000710 CCI-001312 MEDIUM tc Server API must have the debug option turned off. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-99673r1_rule VROM-TC-000720 CCI-002361 MEDIUM tc Server UI must set an inactive timeout for sessions. Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web s
    SV-99675r1_rule VROM-TC-000725 CCI-002361 MEDIUM tc Server CaSa must set an inactive timeout for sessions. Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web s
    SV-99677r1_rule VROM-TC-000730 CCI-002361 MEDIUM tc Server API must set an inactive timeout for sessions. Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web s
    SV-99679r1_rule VROM-TC-000735 CCI-002314 HIGH tc Server ALL must be configured to the correct user authentication source. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-99681r1_rule VROM-TC-000740 CCI-002314 MEDIUM tc Server UI must be configured to use the https scheme. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the
    SV-99683r1_rule VROM-TC-000745 CCI-002314 MEDIUM tc Server CaSa must be configured to use the https scheme. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the
    SV-99685r1_rule VROM-TC-000750 CCI-002314 MEDIUM tc Server API must be configured to use the https scheme. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the
    SV-99687r1_rule VROM-TC-000780 CCI-001849 MEDIUM tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server. In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record storage capacity. The task of allocating log record stora
    SV-99689r1_rule VROM-TC-000790 CCI-001851 MEDIUM tc Server ALL log files must be moved to a permanent repository in accordance with site policy. A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensur
    SV-99691r1_rule VROM-TC-000795 CCI-001855 MEDIUM tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being rea
    SV-99693r1_rule VROM-TC-000800 CCI-001890 MEDIUM tc Server UI must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expre
    SV-99695r1_rule VROM-TC-000805 CCI-001890 MEDIUM tc Server CaSa must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expre
    SV-99697r1_rule VROM-TC-000810 CCI-001890 MEDIUM tc Server API must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expre
    SV-99699r1_rule VROM-TC-000815 CCI-001889 MEDIUM tc Server UI must record time stamps for log records to a minimum granularity of one second. Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers,
    SV-99701r1_rule VROM-TC-000820 CCI-001889 MEDIUM tc Server CaSa must record time stamps for log records to a minimum granularity of one second. Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers,
    SV-99703r1_rule VROM-TC-000825 CCI-001889 MEDIUM tc Server API must record time stamps for log records to a minimum granularity of one second. Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers
    SV-99705r1_rule VROM-TC-000830 CCI-001813 MEDIUM tc Server UI application, libraries, and configuration files must only be accessible to privileged users. A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server inst
    SV-99707r1_rule VROM-TC-000835 CCI-001813 MEDIUM tc Server CaSa application, libraries, and configuration files must only be accessible to privileged users. A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server inst
    SV-99709r1_rule VROM-TC-000840 CCI-001813 MEDIUM tc Server API application, libraries, and configuration files must only be accessible to privileged users. A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server inst
    SV-99711r1_rule VROM-TC-000845 CCI-001762 MEDIUM tc Server UI must be configured with the appropriate ports. Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or de
    SV-99713r1_rule VROM-TC-000850 CCI-001762 MEDIUM tc Server CaSa must be configured with the appropriate ports. Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or de
    SV-99715r1_rule VROM-TC-000855 CCI-001762 MEDIUM tc Server API must be configured with the appropriate ports. Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or de
    SV-99717r1_rule VROM-TC-000860 CCI-002450 MEDIUM tc Server UI must use NSA Suite A cryptography when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for prot
    SV-99719r1_rule VROM-TC-000865 CCI-002450 MEDIUM tc Server CaSa must use NSA Suite A cryptography when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for pro
    SV-99721r1_rule VROM-TC-000870 CCI-002450 MEDIUM tc Server API must use NSA Suite A cryptography when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for pr
    SV-99723r1_rule VROM-TC-000885 CCI-002385 MEDIUM tc Server UI must disable the shutdown port. An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shu
    SV-99725r1_rule VROM-TC-000890 CCI-002385 MEDIUM tc Server CaSa must disable the shutdown port. An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shu
    SV-99727r1_rule VROM-TC-000895 CCI-002385 MEDIUM tc Server API must disable the shutdown port. An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shu
    SV-99729r1_rule VROM-TC-000905 CCI-002418 MEDIUM tc Server UI must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-99731r1_rule VROM-TC-000910 CCI-002418 MEDIUM tc Server CaSa must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-99733r1_rule VROM-TC-000915 CCI-002418 MEDIUM tc Server API must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-99735r1_rule VROM-TC-000920 CCI-002418 MEDIUM tc Server UI session IDs must be sent to the client using SSL/TLS. The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session c
    SV-99737r1_rule VROM-TC-000925 CCI-002418 MEDIUM tc Server CaSa session IDs must be sent to the client using SSL/TLS. The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session c
    SV-99739r1_rule VROM-TC-000930 CCI-002418 MEDIUM tc Server API session IDs must be sent to the client using SSL/TLS. The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session c
    SV-99741r1_rule VROM-TC-000940 CCI-002418 MEDIUM tc Server UI must set the useHttpOnly parameter. A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts th
    SV-99743r1_rule VROM-TC-000945 CCI-002418 MEDIUM tc Server CaSa must set the useHttpOnly parameter. A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts th
    SV-99745r1_rule VROM-TC-000950 CCI-002418 MEDIUM tc Server API must set the useHttpOnly parameter. A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts th
    SV-99747r1_rule VROM-TC-000955 CCI-002418 MEDIUM tc Server UI must set the secure flag for cookies. Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session
    SV-99749r1_rule VROM-TC-000960 CCI-002418 MEDIUM tc Server CaSa must set the secure flag for cookies. Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session
    SV-99751r1_rule VROM-TC-000965 CCI-002418 MEDIUM tc Server API must set the secure flag for cookies. Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session
    SV-99753r1_rule VROM-TC-000970 CCI-002418 HIGH tc Server UI must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-99755r1_rule VROM-TC-000975 CCI-002418 HIGH tc Server CaSa must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-99757r1_rule VROM-TC-000980 CCI-002418 HIGH tc Server API must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-99759r1_rule VROM-TC-000985 CCI-002418 MEDIUM tc Server UI must remove all export ciphers to protect the confidentiality and integrity of transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the c
    SV-99761r1_rule VROM-TC-000990 CCI-002418 MEDIUM tc Server CaSa must remove all export ciphers to protect the confidentiality and integrity of transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the c
    SV-99763r1_rule VROM-TC-000995 CCI-002418 MEDIUM tc Server API must remove all export ciphers to protect the confidentiality and integrity of transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the c
    SV-99765r1_rule VROM-TC-001005 CCI-002422 MEDIUM tc Server UI must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-99767r1_rule VROM-TC-001010 CCI-002422 MEDIUM tc Server CaSa must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-99769r1_rule VROM-TC-001015 CCI-002422 MEDIUM tc Server API must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-99771r1_rule VROM-TC-001020 CCI-002605 MEDIUM tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source. Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to
    SV-99773r1_rule VROM-TC-001030 CCI-000366 MEDIUM tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive secu