Application Services Security Technical Implementation Guide, Version 1 Release 1

Version 1, Release 1

Final

Unknown

2005-11-21

Server

Apache
BEA
Sun Microsystems
Microsoft

Apache Jakarta Tomcat
BEA  WebLogic Server
Sun Microsystems JVM
Microsoft .NET Framework

Apache Jakarta Tomcat
BEA  WebLogic Server
Sun Microsystems JVM
Microsoft .NET Framework

Application Server

This Application Services Security Technical Implementation Guide (STIG) provides security configuration and implementation guidance for application server products designed to the Java 2 Platform, Enterprise Edition (J2EE). J2EE defines a standard security framework of configuration and implementation for the protection of application servers. The J2EE platform is a superset of the Java 2 platform. It is an open source community driven specification that provides enhanced security mechanisms for authentication, authorization, and auditing.

Section 2, Application Services Overview, provides a generic description of the elements characteristic of most application server products. Section 3, Application Services Security, provides general guidance for all application server products. Specific commercial and open source application server products are addressed in separate appendices. This STIG is intended for use in conjunction with other STIGs developed by the Defense Information Systems Agency (DISA). The operating system (OS) STIGs provide crucial guidance for securing the platforms on which application servers run. Security requirements for Databases Management Systems (DBMS) and web servers utilized by application servers are addressed in the Database and Web Server STIGs.

This Application Services STIG presents the known security configuration items, vulnerabilities, and issues required to be addressed by DoD policy. In addition to this STIG, compliance validation tools and checklists are available to .mil and .gov customers to assist in the efforts to implement the required configuration. It must be noted that the guidelines specified should be evaluated in a local, representative test environment before implementation within large user populations. The extensive variety of environments makes it impossible to test these guidelines for all potential software configurations. For some environments, failure to test before implementation will lead to a loss of required functionality. The original target audience for this STIG was DISA facilities using the Access and Location Number (ALN) modification of the standard Unisys software. As a consequence, this STIG still contains many ALN specific policies, procedures and settings. This release and future releases of this STIG will phase out and eliminate these references where possible, either by removal of the process and procedure, or isolating ALN specific settings to a separate appendix.

Developped for the DOD. The requirements set forth in this document are designed to assist Information Systems Security Officers (IAOs) and System Administrators (SAs) in support of protecting DOD network infrastructures and resources. This document assumes that the reader has experience installing and administering Application Servers using J2EE.

Enterprise and Specialized Security-Limited Functionality.

J2EE application servers require the use of a Java Virtual Machine (JVM) for execution. The JVM provides a layer of abstraction between the application server and the underlying hardware platform and operating system.

Not Available.

Not Available.

Not Available.

DOD Directive 8500.

Refer to Known Issues.

Not Available.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Defense Information Systems Agency

Not Available.

Not Available.

Not Available.

http://iase.disa.mil/stigs/stig/index.html

http://iase.disa.mil/stigs/stig/application-services-stig-v1r1.pdf

SHA1 Digest
(application-services-stig-v1r1.pdf) =
351e30041eea1919df36c1f8ecc2ac3fc5632fb3

SHA256 Digest
(application-services-stig-v1r1.pdf) =
2501eeb742889f8f3c38eed8f3bdaf27335b31caa
9512275fd097b2f0f309265

Version 1 Release 0.2: 2005-11-21
Version 1 Release 0: 2005-07-15

Not Available.

Government Publications
Chairman of the Joint Chiefs of Staff (CJCS) Manual 6510.01, “Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND),” dated 25 March 2003.

DOD Directive 8500.1, "Information Assurance (IA)," dated October 24, 2002.

DOD Instruction 8500.2, Information Assurance (IA) Implementation, dated February 6, 2003.

DOD Ports, Protocol, and Services, ASD/C31 Memorandum "Increasing Security at the Internet/DISN Boundary," dated January 28, 2003.

DOD Policy Guidance for use of Mobile Code, Policy Guidance for use of Mobile Code Technologies in Department of Defense (DOD) Information Systems Memorandum.

DOD Instruction 8520.2, Public Key Infrastructure (PKI) and Public Key (PK) Enabling, dated April 1, 2004.

DOD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM) BEA WebLogic Platform Security Guide, National Security Agency, Version 1.0, dated April 4, 2005.

Web Site Administration Policies and Procedures, dated 25 November 1998.

NSA, Guide to Microsoft .NET Framework Security, dated September 22, 2004, Version 1.4.

Web Site Administration Policies and Procedures, dated 25 November 1998.

Web Sites
National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) http://csrc.nist.gov/pcig/cig.html

Information Assurance Support Environment http://iase.disa.mil National Security Agency http://www.nsa.gov

WebLogic Platform 8.1 Online Documentation, Security http://e-docs.bea.com/wls/docs81/security.html

The Apache Jakarta Project, Tomcat http://jakarta.apache.org/tomcat/index.html

ECA PKI Program http://iase.disa.mil/pki/eca/

Joint Task Force - Global Network Operations (JTF-GNO) http://www.cert.mil

1058