STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ.

DISA Rule

SV-222620r508029_rule

Vulnerability Number

V-222620

Group Title

SRG-APP-000516

Rule Version

APSC-DV-002890

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002225 - The information system provides separate processing domains to enable finer-grained allocation of user privileges.

Weight

10

Fix Recommendation

Separate web server from other application tiers and place it on a separate network segment apart from the application and database servers in accordance with DoD DMZ data access controls requirements.

Check Contents

Review the application documentation.

Review the application data protection requirements and identify if all data types hosted on server are identical.

Review the network diagram and identify web servers/web services, web application servers, and database servers.

If the application is not hosted in the DoD DMZ, this requirement is not applicable.

Verify the application web servers are separated from the application and database servers if the application is a tiered design as per DoD DMZ STIG requirements.

If the application is tiered and the network infrastructure hosting the application is not configured to provide separation and security access controls between the tiered layers in accordance with DoD DMZ requirements, this is a finding.

Vulnerability Number

V-222620

Documentable

False

Rule Version

APSC-DV-002890

Severity Override Guidance

Review the application documentation.

Review the application data protection requirements and identify if all data types hosted on server are identical.

Review the network diagram and identify web servers/web services, web application servers, and database servers.

If the application is not hosted in the DoD DMZ, this requirement is not applicable.

Verify the application web servers are separated from the application and database servers if the application is a tiered design as per DoD DMZ STIG requirements.

If the application is tiered and the network infrastructure hosting the application is not configured to provide separation and security access controls between the tiered layers in accordance with DoD DMZ requirements, this is a finding.

Check Content Reference

M

Target Key

4093

Comments