|
Name |
Web Server Checklist Procedures, v5 Release 1.3
|
|
Version |
Version 5, Release 1.3
|
|
Status |
Final
|
| Creation
Date |
Not Available.
|
| Revision
Date |
2006-04
|
| Product
Category |
Web server
|
| Vendor |
Microsoft Corporation
Netscape
Apache Foundation
|
| Product |
Microsoft IIS v5.0
Netscape Enterprise Server v4.1/iPlanet
Apache
|
| Product
Version |
Microsoft IIS v5.0
Netscape Enterprise Server v4.1/iPlanet
Apache
|
| Product
Role |
Web server
|
|
Checklist
Summary |
This document details the procedures needed to perform
a security readiness review (SRR) of a web
server installed on an OS/390, NT, Windows
2000, UNIX or VM host operating system environment.
An operating system review will precede an
SRR of the Web server platform. The reviewer
will apply SA Level II knowledge and skills
of NT, OS/390 or UNIX administration to glean
key information about the web service and
complete the Web SRR. The reviewer must be
able to navigate the NT, UNIX, VMS or WIN2K
file system, determine permissions set to
specific files and directories, read, search
and interpret the content of key configuration
files, understand started tasks and security
access facility (SAF), in the case of OS/390.
The steps outlined in this document explain
and illustrate this process using the default
location of the files to be examined.
The Web Server SRR targets conditions that undermine the
integrity of security, contribute to inefficient
security operations and administration, or
may lead to interruption of production operations.
Additionally, the review ensures the site
has properly installed and implemented the
database environment and that it is being
managed in a way that is secure, efficient,
and effective. This includes defending against
such security vulnerabilities as retrieving
unauthorized information, making malicious
alterations to web content, cross-site scripting,
unauthorized alterations of the server configuration,
relayed attacks, and denial of service attacks.
Notes applicable to the IBM HTTP Server (IHS)
portion of IBM's WebSphere product are also
included with the understanding that the IBM
HTTP Web Server will be running in the context
of UNIX Systems Services in a mainframe environment
or in a Solaris mid-tier environment. In general,
checks which apply to Apache will apply to
IHS.
|
| Known
Issues |
SSL is an implementation of Netscape's Secure Socket Layer
that allow secure connections over insecure
networks, e.g. to transmit user ids and passwords
via web based forms. As of this writing, the
ability to make a version of Apache that will
handle SSL (https protocol) is only available
in UNIX/LINUX open source versions. However,
modifications to Apache based upon these solutions
are not recognized as licensed in the United States. Commercial
solutions are available.
|
| Target
Audience |
Developped for the DOD.
This document is intended for IAOs, SAs, IAMs,
NSOs, and others who are responsible for the
configuration, management, or support of information
systems. It assumes that the reader has knowledge
of web servers and is familiar with common
computer terminology.
|
| Target
Operational Environment |
Enterprise and Specialized
Security-Limited Functionality.
|
| Checklist
Installation Tools |
The scripts need to be unzipped (Windows) or untarred/uncompressed
(Unix) and/or copied to the host system (Windows,
Unix copy commands).
|
| Rollback
Capability |
The scripts create temporary files. These files are removed
at the completion of the script.
|
| Testing
Information |
Not Available.
|
| NIAP/CMVP
Status |
Not Available.
|
| Regulatory
Compliance |
DOD Directive 8500.
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Please refer to the Checklist or the README.txt files provided
with the scripts for any comments, warnings,
or detailed instructions.
|
| Disclaimer |
Not Available.
|
| Product
Support |
It should be noted that FSO Support for the STIGs, Checklists,
and Tools is only available to DOD Customers.
|
| Submitting
Organization/Authors |
Defense Information Systems Agency
|
| Point
of Contact |
Not Available.
|
| Sponsor |
Not Available.
|
| Licensing |
Not Available.
|
| Checklist
Homepage |
http://iase.disa.mil/stigs/checklist/index.html
|
| Download
Package |
http://iase.disa.mil/stigs/checklist/
websrrchecklist-v5r1-3-20060417.zip
|
| Integrity |
SHA1 Digest
(websrrchecklist-v5r1-3-20060417.zip) =
e20b17e7a286ba0c10d313337f2e21a54c3a989e
SHA256 Digest
(websrrchecklist-v5r1-3-20060417.zip) =
9a1a2adcc3c8db64d5c48a0d4e71aa93cac08fba8
bc994b3bdb933b9c7716862
|
| Change
History |
Version 4, Release 2.1
Version 4, Release 1.5: 2005-02-25
Version 5, Release 1.3: 2006-04
|
| Dependency/Requirement |
Web Server Security Technical Implementation Guide, v5
Release 1
|
| References |
Windows Gold Disk Version 2:
Released September 2006
http://iase.disa.mil/stigs/SRR/
updated_GDV2_CD1_Engine_09-22-2006.iso
SHA1 Digest
(updated_GDV2_CD1_Engine_09-22-2006.iso) =
a7ab239be33dea971b5ec11ffd1d419c68455775
SHA256 Digest
(updated_GDV2_CD1_Engine_09-22-2006.iso) =
e18ac0d7a90fca6c891b8a24eded3b8078f2b1657
61d4d298d9fc53293a839ef |
| NIST
Identifier |
1081
|
