Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the web server documentation and configuration to determine if the number of simultaneous sessions is limited. If the parameter is not configured or is unlimited, this is a finding.
Configure the web server to limit the number of concurrent sessions.
Review the web server documentation and configuration to determine if server-side session management is configured. If it is not configured, this is a finding.
Configure the web server to perform server-side session management.
Review the web server documentation and configuration to determine the communication methods that are being used. Verify the encryption being used is in accordance with the categorization of data being hosted when remote connections are provided. If it is not, then this is a finding.
Configure the web server to use encryption strength equal to the categorization of data hosted when remote connections are provided.
Review the web server documentation and configuration to make certain that the web server is configured to use cryptography to protect the integrity of remote access sessions. If the web server is not configured to use cryptography to protect the integrity of remote access sessions, this is a finding.
Configure the web server to utilize encryption during remote access sessions.
Review the web server documentation and configuration to determine if the web server is configured to generate information for external applications monitoring remote access. If a mechanism is not in place providing information to an external application used to monitor and control access, this is a finding.
Configure the web server to provide remote connection information to external monitoring and access control applications.
The web server must be configured to perform an authorization check to verify that the authenticated entity should be granted access to the requested content. If the web server does not verify that the authenticated entity is authorized to access the requested content prior to granting access, this is a finding.
Configure the web server to validate the authenticated entity's authorization to access requested content prior to granting access.
Review the web server documentation and the deployed system configuration to determine if, at a minimum, system startup and shutdown, system access, and system authentication events are logged. If the logs do not include the minimum logable events, this is a finding.
Configure the web server to generate log records for system startup and shutdown, system access, and system authentication events.
Review the web server documentation and deployed configuration to determine if the web server captures log data as soon as the web server is started. If the web server does not capture logable events upon startup, this is a finding.
Configure the web server to capture logable events upon startup.
Review the web server documentation and deployed configuration to determine if the web server contains sufficient information to establish what type of event occurred. Request a user access the hosted applications, and verify sufficient information is recorded. If sufficient information is not logged, this is a finding.
Configure the web server to record sufficient information to establish what type of events occurred.
Review the web server documentation and deployment configuration to determine if the web server is configured to generate a date and time for each logged event. Request a user access the hosted application and generate logable events, and then review the logs to determine if the date and time are included in the log event data. If the date and time are not included, this is a finding.
Configure the web server to log date and time with the event.
Review the web server documentation and deployment configuration to determine if the web server is configured to generate sufficient information to resolve in which process within the web server the log event occurred. Request a user access the hosted application and generate logable events, and then review the logs to determine if the process of the event within the web server can be established. If it cannot be determined where the event occurred, this is a finding.
Configure the web server to generate enough information to determine in what process within the web server the log event occurred.
Review the web server documentation and deployment configuration to determine if the web server is configured to generate sufficient information to resolve the source, e.g. source IP, of the log event. Request a user access the hosted application and generate logable events, and then review the logs to determine if the source of the event can be established. If the source of the event cannot be determined, this is a finding.
Configure the web server to generate the source of each logable event.
Review the deployment configuration to determine if the web server is sitting behind a proxy server. If the web server is not sitting behind a proxy server, this finding is NA. If the web server is behind a proxy server, review the documentation and deployment configuration to determine if the web server is configured to generate sufficient information to resolve the source, e.g. source IP, of the logged event and not the proxy server. Request a user access the hosted application through the proxy server and generate logable events, and then review the logs to determine if the source of the event can be established. If the source of the event cannot be determined, this is a finding.
Configure the web server to generate the client source, not the load balancer or proxy server, of each logable event.
Review the web server documentation and deployment configuration to determine if the web server is configured to generate the outcome (success or failure) of the event. Request a user access the hosted application and generate logable events, and then review the logs to determine if the outcome of the event can be established. If the outcome of the event cannot be determined, this is a finding.
Configure the web server to generate the outcome, success or failure, as part of each logable event.
Review the web server documentation and deployment configuration to determine if the web server can generate log data containing the user/subject identity. Request a user access the hosted application and generate logable events, and verify the events contain the user/subject or process identity. If the identity is not part of the log record, this is a finding.
Configure the web server to include the user/subject identity or process as part of each log record.
Review the web server documentation and deployment configuration settings to determine if the web server logging system provides an alert to the ISSO and the SA at a minimum when a processing failure occurs. If alerts are not sent or the web server is not configured to use a dedicated logging tool that meets this requirement, this is a finding.
Configure the web server to provide an alert to the ISSO and SA when log processing failures occur. If the web server cannot generate alerts, utilize an external logging system that meets this criterion.
Review the web server documentation and deployment configuration to determine if the internal system clock is used for date and time stamps. If this is not feasible, an alternative workaround is to take an action that generates an entry in the log and then immediately query the operating system for the current time. A reasonable match between the two times will suffice as evidence that the system is using the internal clock for date and time stamps. If the web server does not use the internal system clock to generate time stamps, this is a finding.
Configure the web server to use internal system clocks to generate date and time stamps for log records.
Review the web server documentation and deployed configuration settings to determine if the web server logging features protect log information from unauthorized access. Review file system settings to verify the log files have secure file permissions. If the web server log files are not protected from unauthorized access, this is a finding.
Configure the web server log files so unauthorized access of log information is not possible.
Review the web server documentation and deployed configuration settings to determine if the web server logging features protect log information from unauthorized modification. Review file system settings to verify the log files have secure file permissions. If the web server log files are not protected from unauthorized modification, this is a finding.
Configure the web server log files so unauthorized modification of log information is not possible.
Review the web server documentation and deployed configuration settings to determine if the web server logging features protect log information from unauthorized deletion. Review file system settings to verify the log files have secure file permissions. If the web server log files are not protected from unauthorized deletion, this is a finding.
Configure the web server log files so unauthorized deletion of log information is not possible.
Review the web server documentation and deployed configuration to determine if the web server log records are backed up onto an unrelated system or media than the system being logged. If the web server logs are not backed up onto a different system or media than the system being logged, this is a finding.
Configure the web server logs to be backed up onto a different system or media other than the system being logged.
Review the web server documentation and deployment configuration to determine if the web server validates files before the files are implemented into the running configuration. If the web server does not meet this requirement and an external facility is not available for use, this is a finding.
Configure the web server to verify object integrity before becoming part of the production web server or utilize an external tool designed to meet this requirement.
Review the web server documentation and configuration to determine if web server modules are fully tested before implementation in the production environment. Review the web server for modules identified as test, debug, or backup and that cannot be reached through the hosted application. Review the web server to see if the web server or an external utility is in use to enforce the signing of modules before they are put into a production environment. If development and testing is taking place on the production web server or modules are put into production without being signed, this is a finding.
Configure the web server to enforce, internally or through an external utility, the review, testing and signing of modules before implementation into the production environment.
Review the web server documentation and configuration to determine if the web server is being used as a user management application. If the web server is being used to perform user management for the hosted applications, this is a finding.
Configure the web server to disable user management functionality.
Review the web server documentation and deployed configuration to determine if web server features, services, and processes are installed that are not needed for hosted application deployment. If excessive features, services, and processes are installed, this is a finding.
Uninstall or deactivate features, services, and processes not needed by the web server for operation.
Review the web server documentation and deployed configuration to determine if the web server is also a proxy server. If the web server is also acting as a proxy server, this is a finding.
Uninstall any proxy services, modules, and libraries that are used by the web server to act as a proxy server. Verify all configuration changes are made to assure the web server is no longer acting as a proxy server in any manner.
Review the web server documentation and deployment configuration to determine if the web server contains documentation, sample code, example applications, or tutorials. Verify the web server install process also offers an option to exclude these elements from installation and provides an uninstall option for their removal. If web server documentation, sample code, example applications, or tutorials are installed or the web server install process does not offer an option to exclude these elements from installation, this is a finding.
Use the web server uninstall facility or manually remove any documentation, sample code, example applications, and tutorials.
Review the web server documentation to determine the user accounts created when particular features are installed. Verify the deployed configuration to determine which features are installed with the web server. If any accounts exist that are not used by the installed features, this is a finding.
Use the web server uninstall facility or manually remove the user accounts not used by the installed web server features.
Review the web server documentation and deployment configuration to determine which web server utilities, services, and modules are installed. Verify these options are essential to the operation of the web server. Also, confirm the web server install process offers an option to exclude these utilities, services, and modules from installation that are not needed for operation and that there is an uninstall option for their removal. If there are more utilities, services, or modules installed than are needed for the operation of the web server or the web server does not provide an install facility to customize installation, this is a finding.
Use the web server uninstall facility or manually remove any utility programs, services, or modules not needed by the web server for operation.
Review the web server documentation and deployment configuration to determine if the OS shell is accessible by any MIME types that are enabled. If a user of the web server can invoke OS shell programs, this is a finding.
Configure the web server to disable all MIME types that invoke OS shell programs.
Review the web server documentation and deployment configuration to determine what script mappings are available. Review the scripts used by the web server and the hosted applications. If there are script mappings in use that are not used by the web server or hosted applications for operation, this is a finding.
Remove script mappings that are not needed for web server and hosted application operation.
Review the web server documentation and deployment configuration to determine what types of files are being used for the hosted applications. If the web server is configured to allow other file types not associated with the hosted application, especially those associated with logs, configuration files, passwords, etc., this is a finding.
Configure the web server to only serve file types to the user that are needed by the hosted applications. All other file types must be disabled.
Review the web server documentation and deployment configuration to determine if Web Distributed Authoring (WebDAV) is enabled. If WebDAV is enabled, this is a finding.
Configure the web server to disable Web Distributed Authoring.
Review the web server documentation and configuration to determine the access to server resources given to hosted applications. If hosted applications have access to more system resources than needed for operation, this is a finding.
Configure the privileges given to hosted applications to the minimum required for application operation.
Review the web server documentation and configuration to determine where the document root or home directory for each application hosted by the web server is located. Verify that users of the web server applications, and any scripts running on the user's behalf, are contained to each application's domain. If users of the web server applications, and any scripts running on the user's behalf, are not contained, this is a finding.
Configure the web server to contain users and scripts to each hosted application's domain.
Review the web server documentation and deployment configuration to determine whether the web server is configured to listen on a specified IP address and port. Request a client user try to access the web server on any other available IP addresses on the hosting hardware. If an IP address is not configured on the web server or a client can reach the web server on other IP addresses assigned to the hosting hardware, this is a finding.
Configure the web server to only listen on a specified IP address and port.
Review the web server documentation and deployed configuration to determine whether passwords are being passed to or from the web server. If the transmission of passwords is not encrypted, this is a finding.
Configure the web server to encrypt the transmission passwords.
Review the web server documentation and deployed configuration to determine whether the web server provides PKI functionality that validates certification paths in accordance with RFC 5280. If PKI is not being used, this is NA. If the web server is using PKI, but it does not perform this requirement, this is a finding.
Configure the web server to validate certificates in accordance with RFC 5280.
If the web server does not have a private key, this is N/A. Review the web server documentation and deployed configuration to determine whether only authenticated system administrators and the designated PKI Sponsor for the web server can access the web server private key. If the private key is accessible by unauthenticated or unauthorized users, this is a finding.
Configure the web server to ensure only authenticated and authorized users can access the web server's private key.
Review web server documentation and deployed configuration to determine whether the encryption modules utilized for storage of data are FIPS 140-2 compliant. Reference the following NIST site to identify validated encryption modules: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm If the encryption modules used for storage of data are not FIPS 140-2 validated, this is a finding.
Configure the web server to utilize FIPS 140-2 approved encryption modules when the web server is storing data.
Review web server documentation and deployed configuration to determine whether the encryption modules utilized for authentication are FIPS 140-2 compliant. Reference the following NIST site to identify validated encryption modules: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm If the encryption modules used for authentication are not FIPS 140-2 validated, this is a finding.
Configure the web server to utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
Review the web server documentation and deployed configuration to determine whether mobile code used by hosted applications follows the DoD policies on the acquisition, development, and/or use of mobile code. If the web server is not configured to follow the DoD policies on mobile code, this is a finding.
Configure the web server to follow the DoD policies on mobile code.
Review the web server documentation and configuration to determine what web server accounts are available on the hosting server. If non-privileged web server accounts are available with access to functions, directories, or files not needed for the role of the account, this is a finding.
Limit the functions, directories, and files that are accessible by each account and role to administrative accounts and remove or modify non-privileged account access.
Review the web server documentation and configuration to determine if anonymous users can make changes to the web server or any applications hosted by the web server. If anonymous users can make changes, this is a finding.
Configure the web server to not allow anonymous users to change the web server or any hosted applications.
Review the web server documentation and deployed configuration to determine whether hosted application functionality is separated from web server management functions. If the functions are not separated, this is a finding.
Configure the web server to separate the hosted applications from web server management functionality.
Review the web server documentation and deployed configuration to verify that the web server is configured to invalidate session identifiers when a session is terminated. If the web server does not invalidate session identifiers when a session is terminated, this is a finding.
Configure the web server to invalidate session identifiers when a session is terminated.
Review the web server documentation and configuration to determine if cookies between the web server and client are accessible by applications or web servers other than the originating pair. If the cookie information is accessible outside the originating pair, this is a finding.
Configure the web server to set properties within cookies to disallow the cookie to be accessed by other web servers and applications.
Review the web server documentation and deployed configuration to determine whether the web server accepts session IDs that are not system-generated. If the web server does accept non-system-generated session IDs, this is a finding.
Configure the web server to only accept session IDs that are created by the web server.
Review the web server documentation and deployed configuration to verify that the web server is configured to generate unique session identifiers with a FIPS 140-2 approved random number generator. Request two users access the web server and view the session identifier generated for each user to verify that the session IDs are not sequential. If the web server is not configured to generate unique session identifiers or the random number generator is not FIPS 140-2 approved, this is a finding.
Configure the web server to generate unique session identifiers using a FIPS 140-2 random number generator.
Review the web server documentation and deployed configuration to verify that random and unique session identifiers are generated. Access the web server ID generator function and generate two IDs using the same input. If the web server is not configured to generate random and unique session identifiers, or the ID generator generates the same ID for the same input, this is a finding.
Configure the web server to generate random and unique session identifiers that cannot be reliably reproduced.
Review the web server documentation and deployed configuration to see how long the generated session identifiers are. If the web server is not configured to generate session identifiers that are at least 128 bits (16 bytes) in length, this is a finding.
Configure the web server to generate session identifiers that are at least 128 bits in length.
Review the web server documentation and deployed configuration to determine what characters are used in generating session IDs. If the web server is not configured to use at least A-Z, a-z, and 0-9 to generate session identifiers, this is a finding.
Configure the web server to use at least A-Z, a-z, and 0-9 to generate session IDs.
Review the web server documentation and deployed configuration to verify that the web server is generating random session IDs with entropy equal to at least half the session ID length. If the web server is not configured to generate random session IDs with the proper amount of entropy, this is a finding.
Configure the web server to generate random session IDs with minimum entropy equal to half the session ID length.
Review the web server documentation and deployed configuration to determine if the web server offers the capability to reinstall from a known state. If the web server does not offer this capability, determine if the web server, in any manner, prohibits the reinstallation of a known state. If the web server does prohibit the reinstallation to a known state, this is a finding.
Configure the web server to augment and not hinder the reinstallation of a known and stable baseline.
Review the web server documentation, deployed configuration, and risk analysis documentation to determine whether the web server will fail to known states for system initialization, shutdown, or abort failures. If the web server will not fail to known state, this is a finding.
Configure the web server to fail to the states of operation during system initialization, shutdown, or abort failures found in the risk analysis.
Review the web server documentation, deployed configuration, and risk analysis documentation to verify that the web server is configured to provide clustering functionality, if the web server is a high-availability web server. If the web server is not a high-availability web server, this finding is NA. If the web server is not configured to provide clustering or some form of failover functionality and the web server is a high-availability server, this is a finding.
Configure the web server to provide application failover, or participate in a web cluster that provides failover for high-availability web servers.
Review the web server documentation and deployed configuration to locate where potential data at rest is stored. Verify that the data is encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information. If the data is not encrypted using a DoD-accepted algorithm, this is a finding.
Use a DoD-accepted algorithm to encrypt data at rest to protect the information's confidentiality and integrity.
Review the web server documentation and deployed configuration to determine where the document directory is located for each hosted application. If the document directory is not in a separate partition from the web server's system files, this is a finding.
Configure the web server to place the document directories in a separate partition from the web server system files.
Review the web server documentation and deployed configuration to determine whether the web server has been configured to limit the ability of the web server to be used in a DoS attack. If not, this is a finding.
Configure the web server to limit the ability of users to use the web server in a DoS attack.
Review the web server documentation and deployed configuration to determine what the data set is for data entry. If the web server does not limit the data set used for data entry, this is a finding.
Configure the web server to only accept the character sets expected by the hosted applications.
Review the web server documentation and deployed configuration to locate all the web document directories. Verify that each web document directory contains a default hosted application web page that can be used by the web server in the event a web page cannot be found. If a document directory does not contain a default web page, this is a finding.
Place a default web page in every web document directory.
Review the web server documentation and deployed configuration to determine whether the web server offers different modes of operation that will minimize the identity of the web server, patches, loaded modules, and directory paths given to clients on error conditions. If the web server is not configured to minimize the information given to clients, this is a finding.
Configure the web server to minimize the information provided to the client in warning and error messages.
Review the web server documentation and deployed configuration to determine if debugging and trace information are enabled. If the web server is configured with debugging and trace information enabled, this is a finding.
Configure the web server to minimize the information given to clients on error conditions by disabling debugging and trace information.
Verify that the web server is configured to close sessions after eight hours or less. If the web server is not configured to close sessions after eight hours or less, this is a finding.
Configure the web server to close sessions after eight hours or less.
Review the hosted applications, web server documentation and deployed configuration to verify that the web server will close an open session after a configurable time of inactivity. If the web server does not close sessions after a configurable time of inactivity or the amount of time is configured higher than 5 minutes for high-risk applications, 10 minutes for medium-risk applications, or 20 minutes for low-risk applications, this is a finding.
Configure the web server to close inactive sessions after 5 minutes for high-risk applications, 10 minutes for medium-risk applications, or 20 minutes for low-risk applications.
Review the web server product documentation and deployed configuration to determine if the server or an enterprise tool is enforcing the organization's requirements for remote connections. If the web server is not configured to enforce these requirements and an enterprise tool is not in place, this is a finding.
Configure the web server to enforce the remote access policy or to work with an enterprise tool designed to enforce the policy.
Review the web server configuration to verify that the web server is restricting access from nonsecure zones. If the web server is not configured to restrict access from nonsecure zones, then this is a finding.
Configure the web server to block access from DoD-defined nonsecure zones.
Review the web server documentation and configuration to make certain that the web server is configured to allow for the immediate disconnection or disabling of remote access to hosted applications when necessary. If the web server is not capable of or cannot be configured to disconnect or disable remote access to the hosted applications when necessary, this is a finding.
Configure the web server to provide the capability to immediately disconnect or disable remote access to the hosted applications.
Review the web server documentation and configuration to determine if accounts used for administrative duties of the web server are separated from non-privileged accounts. If non-privileged accounts can access web server security-relevant information, this is a finding.
Set up accounts and roles that can be used to perform web server security-relevant tasks and remove or modify non-privileged account access to security-relevant tasks.
Review the web server documentation and configuration to determine if the web server is part of a cluster. If the web server is not part of a cluster, then this is NA. If the web server is part of a cluster and is not centrally managed, then this is a finding.
Configure the web server to be centrally managed.
Review the web server documentation and deployment configuration to determine if the web server is using a logging mechanism to store log records. If a logging mechanism is in use, validate that the mechanism is configured to use record storage capacity in accordance with specifications within NIST SP 800-92 for log record storage requirements. If the web server is not using a logging mechanism, or if the mechanism has not been configured to allocate log record storage capacity in accordance with NIST SP 800-92, this is a finding.
Configure the web server to use a logging mechanism that is configured to allocate log record storage capacity in accordance with NIST SP 800-92 log record storage requirements.
Review the web server documentation and deployment configuration to determine if the web server can write log data to, or if log data can be transferred to, a separate audit server. Request a user access the hosted application and generate logable events and verify the data is written to a separate audit server. If logs cannot be directly written or transferred on request or on a periodic schedule to an audit log server, this is a finding.
Configure the web server to directly write or transfer the logs to a remote audit log server.
Review the web server documentation and deployed configuration to determine whether the web server is logging security-relevant events. Determine whether there is a security tool in place that allows review and alert capabilities and whether the web server is sending events to this system. If the web server is not, this is a finding.
Configure the web server to send logged events to the organization's security infrastructure tool that offers review and alert capabilities.
Review the web server documentation and deployment configuration settings to determine if the web server log system provides a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum record storage capacity. If designated alerts are not sent or the web server is not configured to use a dedicated log tool that meets this requirement, this is a finding.
Configure the web server to provide a warning to the ISSO and SA when allocated log record storage volume reaches 75% of maximum record storage capacity.
Review the web server documentation and configuration to determine the time stamp format for log data. If the time stamp is not mapped to UTC or GMT time, this is a finding.
Configure the web server to store log data time stamps in a format that is mapped to UTC or GMT time.
Review the web server documentation and configuration to determine if log records are time stamped to a minimum granularity of one second. Have a user generate a logable event and review the log data to determine if the web server is configured correctly. If the log data does not contain a time stamp to a minimum granularity of one second, this is a finding.
Configure the web server to record log events with a time stamp to a granularity of one second.
Review the web server documentation and configuration to determine if the web server provides unique account roles specifically for the purposes of segmenting the responsibilities for managing the web server. Log into the hosting server using a web server role with limited permissions (e.g., Auditor, Developer, etc.) and verify the account is not able to perform configuration changes that are not related to that role. If roles are not defined with limited permissions and restrictions, this is a finding.
Define roles and responsibilities to be used when managing the web server. Configure the hosting system to utilize specific roles that restrict access related to web server system and configuration changes.
Review the web server documentation and deployment configuration to determine which ports and protocols are enabled. Verify that the ports and protocols being used are permitted, necessary for the operation of the web server and the hosted applications and are secure for a production system. If any of the ports or protocols are not permitted, are nonsecure or are not necessary for web server operation, this is a finding.
Configure the web server to disable any ports or protocols that are not permitted, are nonsecure for a production web server or are not necessary for web server operation.
If the web server does not provide PKI-based user authentication intermediary services, this is not applicable. Verify the web server only allows the use of DOD PKI-established CA for verification when establishing sessions. Verify both user and machine certificates are being validated when establishing sessions. If the web server does not validate user and machine certificates using DOD PKI-established CAs, this is a finding.
Configure the web server to only allow the use of DOD PKI-established CAs for the session establishment. Configure validation for both the user and machine certificates.
Review the web server documentation and deployed configuration to determine whether the web server is authorizing and managing users. If the web server is not authorizing and managing users, this is NA. If the web server is the user authenticator and manager, verify that stored user identifiers and passwords are being encrypted by the web server. If the user information is not being encrypted when stored, this is a finding.
Configure the web server to encrypt the user identifiers and passwords when storing them on digital media.
Review the web server documentation and deployed configuration to determine where the process ID is stored and which utilities are used to start/stop the web server. Determine whether the process ID and the utilities are protected from non-privileged users. If they are not protected, this is a finding.
Remove or modify non-privileged account access to the web server process ID and the utilities used for starting/stopping the web server.
Review the web server documentation and deployed configuration to determine what parameters are set to tune the web server. Review the hosted applications along with risk analysis documents to determine the expected user traffic. If the web server has not been tuned to avoid a DoS, this is a finding.
Analyze the expected user traffic for the hosted applications. Tune the web server to avoid a DoS condition under normal user traffic to the hosted applications.
Review the web server documentation and deployed configuration to determine whether the transmission of data between the web server and external devices is encrypted. If the web server does not encrypt the transmission, this is a finding.
Configure the web server to encrypt the transmission of data between the web server and external devices.
Review the web server documentation and deployed configuration to determine whether the session identifier is being sent to the client encrypted. If the web server does not encrypt the session identifier, this is a finding.
Configure the web server to encrypt the session identifier for transmission to the client.
Review the web server documentation and deployed configuration to determine whether cookies are being sent to the client using SSL/TLS. If the transmission is through a SSL/TLS connection, but the cookie is not being compressed, this finding is NA. If the web server is using SSL/TLS for cookie transmission and the cookie is also being compressed, this is a finding.
Configure the web server to send the cookie to the client via SSL/TLS without using cookie compression.
Review the web server documentation and deployed configuration to determine how to disable client-side scripts from reading cookies. If the web server is not configured to disallow client-side scripts from reading cookies, this is a finding.
Configure the web server to disallow client-side scripts the capability of reading cookie information.
Review the web server documentation and deployed configuration to verify that cookies are encrypted before transmission. If the web server is not configured to encrypt cookies, this is a finding.
Configure the web server to encrypt cookies before transmission.
Review the web server documentation and deployed configuration to determine which version of TLS is being used. If the TLS version is not an approved version according to NIST SP 800-52 or non-FIPS-approved algorithms are enabled, this is a finding.
Configure the web server to use an approved TLS version according to NIST SP 800-52 and to disable all non-approved versions.
Review the web server documentation and deployed configuration to determine if export ciphers are removed. If the web server does not have the export ciphers removed, this is a finding.
Configure the web server to have export ciphers removed.
Review the web server documentation and deployed configuration to determine if the web server maintains the confidentiality and integrity of information during preparation before transmission. If the confidentiality and integrity are not maintained, this is a finding.
Configure the web server to maintain the confidentiality and integrity of information during preparation for transmission.
Review web server configuration to determine if the server is using a transmission method that maintains the confidentiality and integrity of information during reception. If a transmission method is not being used that maintains the confidentiality and integrity of the data during reception, this is a finding.
Configure the web server to utilize a transmission method that maintains the confidentiality and integrity of information during reception.
Review the web server documentation and configuration to determine if the web server checks for patches from an authoritative source at least every 30 days. If there is no timeframe or the timeframe is greater than 30 days, this is a finding.
Configure the web server to check for patches and updates from an authoritative source at least every 30 days.
Review the web server documentation and deployment configuration to determine what non-service/system accounts were installed by the web server installation process. Verify the passwords for these accounts have been set and/or changed from the default passwords. If these accounts still have no password or default passwords, this is a finding.
Set passwords for non-service/system accounts containing no passwords and change the passwords for accounts which still have default passwords.
Review the web server documentation and deployed configuration to determine if web server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance. If the web server is not configured according to the guidance, this is a finding.
Configure the web server to be configured according to DoD security configuration guidance.
Review policy documents to identify data that is compartmentalized (i.e. classified, sensitive, need-to-know, etc.) and requires cryptographic protection. Review the web server documentation and deployed configuration to identify the encryption modules utilized to protect the compartmentalized data. If the encryption modules used to protect the compartmentalized data are not compliant with the data, this is a finding.
Configure the web server to utilize cryptography when protecting compartmentalized data.
Verify the web server limits authenticated client management sessions to initial session source IP. If the web server does not limit authenticated client management sessions to initial session source IP, this is a finding.
Configure the web server to restrict the management session to a consistent inbound IP for the entire management session.
Verify the web server limits authenticated user sessions to a consistent inbound IP for the entire user session If the web server does not limit authenticated user sessions to a consistent inbound IP for the entire user session, this is a finding.
Configure the web server to restrict the user session to a consistent inbound IP for the entire user session.
Verify the web server uses HTTP/2. If the web server does not use HTTP/2 at a minimum, this is a finding.
Configure the web server to use HTTP/2, at a minimum. Note that browsers support HTTP/2 only in HTTPS mode. The tunneling of HTTP/1.x through HTTPS is not an approved configuration.
If HTTP downgrading is operationally necessary, and the rewritten request is validated against HTTP/1.x specification (i.e., verify requests that contain new lines in the headers, colons in header names, and spaces in the request method are rejected), mark as a CAT III finding. Verify that HTTP/1.x downgrading is disabled. If the HTTP/1.x downgrading is enabled, this is a finding.
Configure the web server to disable HTTP/1.x downgrading. If HTTP downgrading is operationally necessary, validate the rewritten request against the HTTP/1.1 specification, i.e., reject requests that contain new lines in the headers, colons in header names, and spaces in the request method.
Verify the web server normalizes ambiguous requests or terminates the TCP connection. If the web server does not drop ambiguous requests that cannot be normalized and terminate the TCP connection, this is a finding.
Configure the web server to interpret HTTP headers so they are normalized and unambiguous. The web server must validate requests that report message body as "zero" in the HTTP header. Configure the web server to drop ambiguous requests that cannot be normalized and terminate the TCP connection.
Verify the web server terminates the connection if server-level exceptions are triggered when handling requests. If the web server does not terminate the connection if server-level exceptions are triggered when handling requests, this is a finding.
Configure web server to terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.
If a forward proxy is not used, this is not applicable. Verify the web server only uses forward proxies that route HTTP/2 requests upstream. If the web server uses forward proxies that do not only route HTTP/2 requests, this is a finding.
Configure the web server to only use forward proxies that route HTTP/2 requests upstream.