STIGQter STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

The private web server must use an approved DoD certificate validation process.

DISA Rule

SV-33065r2_rule

Vulnerability Number

V-13672

Group Title

WG145

Rule Version

WG145 W22

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure DoD Private Web Servers to conduct certificate revocation checking utilizing certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP).

Check Contents

The reviewer should query the ISSO, the SA, the web administrator, or developers as necessary to determine if the web server is configured to utilize an approved DoD certificate validation process.

The web administrator should be questioned to determine if a validation process is being utilized on the web server.

To validate this, the reviewer can ask the web administrator to describe the validation process being used. They should be able to identify either the use of certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP).

If the production web server is accessible, the SA or the web administrator should be able to demonstrate the validation of good certificates and the rejection of bad certificates.

If CRLs are being used, the SA should be able to identify how often the CRL is updated and the location from which the CRL is downloaded.

If the web administrator cannot identify the type of validation process being used, this is a finding.

Vulnerability Number

V-13672

Documentable

False

Rule Version

WG145 W22

Severity Override Guidance

The reviewer should query the ISSO, the SA, the web administrator, or developers as necessary to determine if the web server is configured to utilize an approved DoD certificate validation process.

The web administrator should be questioned to determine if a validation process is being utilized on the web server.

To validate this, the reviewer can ask the web administrator to describe the validation process being used. They should be able to identify either the use of certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP).

If the production web server is accessible, the SA or the web administrator should be able to demonstrate the validation of good certificates and the rejection of bad certificates.

If CRLs are being used, the SA should be able to identify how often the CRL is updated and the location from which the CRL is downloaded.

If the web administrator cannot identify the type of validation process being used, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

158

Comments