Security Configuration Checklists Program for IT Products

Home | Browse Checklists Repository | Glossary | Subscribe to Mailing List | Contact Us

Browse Repository by

		Product Category
		Vendor
		Submitting Organization

Our Sponsor

Web Server Security Technical Implementation Guide

Name	Web Server Security Technical Implementation Guide, v5 Release 1
Version	v5 Release 1
Status	Final
Creation Date	Not available.
Revision Date	2004-10-29
Product Category	Web Server
Vendor	Microsoft Corporation Netscape Apache Foundation IBM
Product	Microsoft IIS v5.0 Netscape Enterprise Server v4.1/iPlanet Apache IBM HTTP Server
Product Version	Microsoft IIS v5.0 Netscape Enterprise Server v4.1/iPlanet Apache version information is not available IBM HTTP Server version information is not available
Product Role	Web Server
Checklist Summary	This STIG serves to assist in the securing of DOD information systems. This STIG, along with its companion document, the Web Server Checklist, can be used to implement security best practice procedures on a variety of web server platforms. This STIG is also intended for use in conjunction with the appropriate operating system (OS) STIG, as well as other technology specific STIGs that may have influence on the web server or platform that it resides on. This STIG is a tool used in the design and installation phase, operation and production phase, and maintenance phases of a web server deployment. This STIG includes appendices that aid in the installation and configuration of Netscape/iPlanet, Apache, and Microsoft IIS. This document will also assist in identifying external security exposures created when the site is connected to at least one information system outside the site's control. This document does not cover issues related to style, performance, response time, or bandwidth. This STIG addresses known security issues facing web server technologies. Although implemented differently, most web server platforms provide a means to implement the security requirements in this STIG. These requirements have been written to apply to any web server platform, while more specific platform guidance is documented in the Web Server Checklist Procedures Guide. This document provides the technical security policies, requirements, and implementation details for applying security concepts to web servers.
Known Issues	This Web Server STIG presents the known security configuration items, vulnerabilities, and issues required to be addressed by DoD policy. In addition to this STIG, compliance validation tools and checklists are available to .mil and .gov customers to assist in the efforts to implement the required configuration. The guidelines specified should be evaluated in a local, representative test environment before implementation within large user populations. The extensive variety of environments makes it impossible to test these guidelines for all potential software configurations. For some environments, failure to test before implementation will lead to a loss of required functionality.
Target Audience	Developped for the DOD. The target audience for this document includes DOD functional managers, information technology personnel, and network and security administrators. This document assumes that the reader has experience installing and administering web servers.
Target Operational Environment	Enterprise and Specialized Security-Limited Functionality.
Checklist Installation Tools	Not available.
Rollback Capability	Not available.
Testing Information	Not available.
NIAP/CMVP Status	Not available.
Regulatory Compliance	DOD Directive 8500.
Comments, Warnings, Disclaimer, Miscellaneous	Refer to Known Issues.
Disclaimer	Not available.
Product Support	It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.
Submitting Organization/Authors	Defense Information Systems Agency
Point of Contact	Not available.
Sponsor	Not available.
Licensing	Not available.
Checklist Homepage	http://iase.disa.mil/stigs/stig/index.html
Download Package	http://iase.disa.mil/stigs/stig/web_stig_v5r1.pdf
Integrity	SHA1 Digest (web_stig_v5r1.pdf) = c1ceed4332b1de17e1e7fc56fc2940c9bc59da81 SHA256 Digest (web_stig_v5r1.pdf) = 9a1208f905938e6c479cd589099d3edfec0b6e32 fc8b77e8bdd7c8fb35009dc2
Change History	v4 Release 1: 2003-08-29 v5 Release 1: 2004-10-29
Dependency/Requirement	Web Server Checklist, v5 Release 1
References	Department of Defense (DOD) Directive 8500.1, “Information Assurance,” 24 October 2002. Department of Defense (DOD) Instruction 8500.2, “Information Assurance IA Implementation,” 6 February 2003. Department of Defense (DOD) Instruction Number 8520.2 issued April 2004, “Public Key Infrastructure (PKI) and Public Key (PK) Enabling.” DISA Memorandum: DISA Web Policy, Enforcement, and Operational Security, 12 March 2003. DISA World Wide Web Handbook Version 5.0. DOD Web Policy, “Web Site Administration Policies and Procedures,” 25 November 1998 (updated 11 January 2002). (Also see http://www.defenselink.mil/webmasters/, DOD Web Site Administration Policy.) Chairman of the Joint Chiefs of Staff (CJCS) Manual 6510.01, "Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND)," 15 March 2002. Department of Defense Directive 5200.40, “DOD Information Technology Security and Accreditation Process (DITSCAP),” 30 December 1997. Defense Information Systems Agency Instruction (DISAI) 630-230-19, “Security Requirements for Automated Information Systems (AIS),” July 1996. Defense Information Systems Agency Instruction (DISAI) 630-255-7, “Internet, Intranet, and World Wide Web,” 6 September 1996. Defense Information Systems Agency Instruction (DISAI) 630-230-31, “Enclave Security,” 30 March 2001. Defense Information Systems Agency (DISA) Naming Convention Standards, February 1996. Defense Information Systems Agency (DISA) Computing Services Security Handbook, Version 3, 1 December 2000. Defense Information Systems Agency (DISA) Application Security Checklist v2 r1.4. Defense Information Systems Agency (DISA) Network Infrastructure Security Technical Implementation Guide, Version 4, Release 2. Addendum to the NSA Guide to Securing Microsoft Windows NT Networks and NSA Guides to Securing Windows 2000, Version 43 (to match NSA Guide), Release 1, 26 November 2002. Defense Information Systems Agency (DISA) UNIX Security Technical Implementation Guide, Version 4, Release 2. National Security Agency (NSA), “Information Systems Security Products and Services Catalog” (Current Edition). National Institute of Standards and Technology (NIST), “Guidelines on Securing Public Web Servers,” Special Publication 800-44. Defense Logistics Agency Regulation (DLAR) 5200.17, “Security Requirements for Automated Information and Telecommunications Systems,” 9 October 1991. AR 25-2, Information Assurance, 14 November 2003. Air Force Systems Security Instruction (AFSSI) 5021, Time Compliance Network Order (TCNO) Management and Vulnerability and Incident Reporting, 15 August 1996. Air Force Systems Security Instruction (AFSSI) 5023, Viruses and Other Forms of Malicious Logic, 1 August 1996. Air Force Systems Security Instruction (AFSSI) 5027, Network Security Policy, 27 February 1998. Secretary of the Navy Instruction (SECNAVINST) 5239.2, “Department of the Navy Automated Information Systems (AIS) Security Program,” 15 November 1989. Navy Staff Office Publication (NAVSO Pub) 5239-15, “Controlled Access Protection Guidebook,” August 1992. Public Law 100-235, 100th Congress, An Act cited as the “Computer Security Act of 1987,” 8 January 1988. Memorandum for Secretaries of Military Departments, et al, “Web Site Administration,” 7 December 1998. Memorandum for Secretaries of Military Departments, et al, “DOD Public Key Infrastructure,” 12 August 2000. Memorandum for Secretaries of Military Departments, et al, “Policy Guidance for the Use of Mobile Code Technologies in Department of Defense (DOD) Information Systems,” 7 November 2000. IBM, OS/390 HTTP Server Planning, Installing and Using, Version 5.2 (SC31-8903). IBM, OS/390 HTTP Server Planning, Installing and Using, Version 5.3 (SC31-8690). Defense Information Systems Agency Information Assurance. http://iase.disa.mil/ DISA/NCS World Wide Web Handbook, Version 2. http://www.disa.mil/handbook/toc.html Department of Defense Computer Emergency Response Team (CERT). http://www.cert.mil/ CERT Coordination Center. http://www.cert.org/ National Institute of Standards and Technology's Computer Security Resource Clearinghouse. http://csrc.nist.gov/publications/ Center for Education and Research in Information Assurance and Security (formerly COAST). http://www.cerias.purdue.edu/ “How to” books, written by very experienced IBM professionals from all over the world. http://www.redbooks.ibm.com/ Microsoft Security Bulletin and Patch Listings. http://www.microsoft.com/technet/ security/current.asp Netscape Security. http://www.netscape.com/security/notes/index.html Writing secure CGI scripts. http://hoohoo.ncsa.uiuc.edu/cgi/security.html PERL FAQ. http://language.perl.com/faq/ RFC Index. http://www.cis.ohio-state.edu/cs/Services/rfc/rfc.html National Infrastructure Protection Center (an FBI program). http://www.nipc.gov/ DOD Web Site Administration Policy. http://www.defenselink.mil/webmasters/ IBM HTTP Server documentation. http://www.ibm.com/software/webservers/ Sun JAVA Tutorials and Documentation. http://java.sun.com/j2ee/tutorial/ Articles and documents on J2EE Security and other systems. http://www.samspublishing.com/ Information Resources on Web Services. http://www.oasis-open.org/ Information and Resources on everything Web. http://www.w3.org/ Resource for BEA WebLogic and J2EE framework. http://www.bea.com/
NIST Identifier	1081