Web Policy STIG


Version / Release: V1R1

Published: 2011-10-03

Updated At: 2018-09-23 13:38:41




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-28754r1_rule WEBPL200 MEDIUM The production web server staff will have a formal migration plan for removing or upgrading production web server software prior to the date the vendor drops security patch support. It is one of the primary duties of the Change Control Board (CCB) to have a complete and detailed inventory of hardware, software, and firmware, inclusive of version, license, and certificate information (such as expiration dates) in order to properly tra
    SV-28757r1_rule WEBPL170 MEDIUM Incident Response procedures must exist for web servers and sites. It is a requirement that all DoD information sites have developed and implemented Incident Response (IR) policies and procedures. In the event that an unexpected occurrence disrupts the web server’s function, a mechanism will be in place to guide the SA
    SV-28765r1_rule WEBPL130 MEDIUM Production web server scripts are tested before implementation. Interactive server-side scripts, sometimes referred to as CGI, are a powerful means for enhancing web site functionality. Scripts are often executable at the application layer and can interact with the operating system, frequently exercising control over
    SV-28769r1_rule WEBPL050 LOW Trained staff are not available to respond to web server or web content problems. Many web sites are available 24 hours per day, 7 days a week, and the potential for problems relating to the web server operations are significant. Operating staff may discover a problem with the organization’s web server operation or web content. Point
    SV-28770r1_rule WEBPL032 LOW All interactive CGI programs used on the production web server will be documented. Common Gateway Interface (CGI) is a standard protocol that defines how web server software can delegate the generation of web pages to an external application or the web browser. These web server-based applications, known as CGI scripts, are not to be con
    SV-28771r1_rule WEBPL025 MEDIUM The sensitivity level of all data for publication on a production web site is known and documented. It is important to be aware of the data sensitivity level and security category of information being published on a web site so that appropriate safeguards may be applied. Such safeguards may include the physical separation of information published on ser
    SV-28772r1_rule WEBPL131 LOW Configuration management policies are available to the SA and the web administrator. A Configuration Management Policy and its associated procedures help to ensure the effective implementation of security controls requisite to the organizational goals of integrity, availability, and confidentiality by governing the change process, which i
    SV-28774r1_rule WEBPL132 LOW A current baseline configuration for the web server is maintained at all times. The Web Server STIG and the OS STIG can provide guidance with respect to the creation of a baseline configuration for web servers. However, changes to the server configuration over time will occur due to either threat mitigation or the customization of se
    SV-28775r1_rule WEBPL133 MEDIUM Change on a production web site is controlled. One of the greatest potential threats to a production web server comes from the allowance of inappropriately controlled software change. All change and modification to production web sites must be controlled with respect to organizational policy or to a
    SV-28786r1_rule WEBPL134 MEDIUM Documented procedures and processes exist to recover the production web server and its associated web sites and are included as a part of the COOP. In the event that a production web site or server needs to be recovered, a current and complete process exists to recover the web server and its associated web sites. Formed as an integral part of the risk management framework and a requirement within t
    SV-28787r1_rule WEBPL135 LOW The SA and the web administrator are aware of mobile code technology deployed on servers under their administration. Mobile code technologies represent a major threat vector with respect to the protection of DoD assets. Because this technology is continually evolving, guidance offered by DoD and NIST is also continually evolving. It is important to note with respect to
    SV-28788r1_rule WEBPL138 MEDIUM A process must exist to ensure changes to a production web server’s software or a production web server’s configurable settings are tested and documented before being implemented. This requirement only addresses the physical web server software (e.g., IIS, Apache, etc.) and web server software configuration changes. It is not related to web site application code, web content, or changes to the OS that are governed by other vulnerab
    SV-28790r1_rule WEBPL110 LOW Web server access logs are generated and retained according to DoDI 8500.2 requirements. Audit trails (logs) are required, as a minimum, to determine accountability according to DoDI 8500.2. They also provide the accountability functionality of a C2-level trusted requirement. Auditing (logging) provides an investigative tool to detect misuse
    SV-28795r1_rule WEBPL030 MEDIUM Information on public web servers is reviewed before publication and periodically reviewed after publication. The publishing of un-reviewed and unapproved content on a public web server may pose a serious threat to the safety of the warfighter and national security. Security is everyone’s responsibility and, although the originating organization posting the inf