| Checked | Name | Title |
|---|
| ☐ | SV-33092r1_rule | Backup interactive scripts on the production web server must be prohibited. |
| ☐ | SV-33048r1_rule | The web server service password(s) must be entrusted to the SA or Web Manager. |
| ☐ | SV-33044r2_rule | Public web server resources must not be shared with private assets. |
| ☐ | SV-36489r4_rule | The service account used to run the web service must have its password changed at least annually. |
| ☐ | SV-33061r3_rule | Installation of a compiler on production web server must be prohibited. |
| ☐ | SV-33012r2_rule | A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. |
| ☐ | SV-33013r2_rule | A private web server must be located on a separate controlled access subnet. |
| ☐ | SV-33068r2_rule | The web server must use a vendor-supported version of the web server software. |
| ☐ | SV-36509r1_rule | Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. |
| ☐ | SV-33072r4_rule | Web administration tools must be restricted to the web manager and the web manager’s designees. |
| ☐ | SV-33062r2_rule | All utility programs, not necessary for operations, must be removed or disabled. |
| ☐ | SV-36561r2_rule | The web server’s htpasswd files (if present) must reflect proper ownership and permissions. |
| ☐ | SV-6881r1_rule | The access control files are owned by a privileged web server account. |
| ☐ | SV-33017r1_rule | Administrative users and groups that have access rights to the web server must be documented. |
| ☐ | SV-33078r2_rule | Web server system files must conform to minimum file permission requirements. |
| ☐ | SV-33082r1_rule | A public web server must limit e-mail to outbound only. |
| ☐ | SV-33095r1_rule | Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. |
| ☐ | SV-33089r2_rule | Monitoring software must include CGI or equivalent programs in its scope. |
| ☐ | SV-33014r2_rule | Web server content and configuration files must be part of a routine backup program. |
| ☐ | SV-33070r1_rule | A web server installation must be segregated from other services. |
| ☐ | SV-33098r1_rule | Web server and/or operating system information must be protected. |
| ☐ | SV-33015r2_rule | Classified web servers will be afforded physical security commensurate with the classification of its content. |
| ☐ | SV-33016r2_rule | The site software used with the web server must have all applicable security patches applied and documented. |
| ☐ | SV-36607r1_rule | The web server, although started by superuser or privileged account, must run using a non-privileged account. |
| ☐ | SV-33084r1_rule | A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA. |
| ☐ | SV-33087r1_rule | All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. |
| ☐ | SV-33065r2_rule | The private web server must use an approved DoD certificate validation process. |
| ☐ | SV-40826r1_rule | Remote authors or content providers must have all files scanned for malware before uploading files to the Document Root directory. |
| ☐ | SV-32980r3_rule | The Timeout directive must be properly set. |
| ☐ | SV-32987r3_rule | The KeepAlive directive must be enabled. |
| ☐ | SV-32880r3_rule | The KeepAliveTimeout directive must be defined. |
| ☐ | SV-32998r1_rule | All interactive programs must be placed in a designated directory with appropriate permissions. |
| ☐ | SV-33001r1_rule | The FollowSymLinks setting must be disabled. |
| ☐ | SV-33003r1_rule | Server side includes (SSIs) must run with execution capability disabled. |
| ☐ | SV-33004r2_rule | The MultiViews directive must be disabled. |
| ☐ | SV-33006r2_rule | Directory indexing must be disabled on directories not containing index files. |
| ☐ | SV-33008r1_rule | The HTTP request message body size must be limited. |
| ☐ | SV-33009r1_rule | The HTTP request header fields must be limited. |
| ☐ | SV-33010r3_rule | The HTTP request header field size must be limited. |
| ☐ | SV-33011r3_rule | The HTTP request line must be limited. |
| ☐ | SV-33167r1_rule | Active software modules must be minimized. |
| ☐ | SV-33169r2_rule | Web Distributed Authoring and Versioning (WebDAV) must be disabled. |
| ☐ | SV-33171r2_rule | Web server status module must be disabled. |
| ☐ | SV-33173r3_rule | The web server must not be configured as a proxy server. |
| ☐ | SV-33175r2_rule | User specific directories must not be globally enabled. |
| ☐ | SV-33177r1_rule | The process ID (PID) file must be properly secured. |
| ☐ | SV-33178r2_rule | The ScoreBoard file must be properly secured. |
| ☐ | SV-33180r1_rule | The web server must be configured to explicitly deny access to the OS root. |
| ☐ | SV-33182r1_rule | Web server options for the OS root must be disabled. |
| ☐ | SV-33183r1_rule | The TRACE method must be disabled. |
| ☐ | SV-33184r1_rule | The web server must be configured to listen on a specific IP address and port. |
| ☐ | SV-33185r1_rule | The URL-path name must be set to the file path name or the directory path name. |
| ☐ | SV-33225r1_rule | Automatic directory indexing must be disabled. |
| ☐ | SV-33237r1_rule | The ability to override the access configuration for the OS root directory must be disabled. |
| ☐ | SV-33238r2_rule | HTTP request methods must be limited. |
| ☐ | SV-75161r1_rule | The web server must remove all export ciphers from the cipher suite. |
STIGQter: STIG Summary: