From 80ec0091159927235e694a98ec1ed21bd9e8519a Mon Sep 17 00:00:00 2001 From: Automated Update Date: Fri, 12 Apr 2024 00:03:15 +0000 Subject: [PATCH] Update Benchmarks --- .../DISA/U_VPN_SRG_V2R6_Manual-xccdf.xml | 607 ++++++++++++++++++ .../DISA/U_Web_Server_V3R3_Manual-xccdf.xml | 562 ++++++++++++++++ stigs.json | 34 +- 3 files changed, 1186 insertions(+), 17 deletions(-) create mode 100644 benchmarks/DISA/U_VPN_SRG_V2R6_Manual-xccdf.xml create mode 100644 benchmarks/DISA/U_Web_Server_V3R3_Manual-xccdf.xml diff --git a/benchmarks/DISA/U_VPN_SRG_V2R6_Manual-xccdf.xml b/benchmarks/DISA/U_VPN_SRG_V2R6_Manual-xccdf.xml new file mode 100644 index 000000000..0e398ff99 --- /dev/null +++ b/benchmarks/DISA/U_VPN_SRG_V2R6_Manual-xccdf.xml @@ -0,0 +1,607 @@ +acceptedVirtual Private Network (VPN) Security Requirements GuideThis Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 08 Apr 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-NET-000019<GroupDescription></GroupDescription>SRG-NET-000019-VPN-000040The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.<VulnDiscussion>Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. + +VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97041SV-106179CCI-001414Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,SRG-NET-000041<GroupDescription></GroupDescription>SRG-NET-000041-VPN-000110The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +In most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97043SV-106181CCI-000048Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: +"I've read & consent to terms in IS user agreem't."If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.SRG-NET-000042<GroupDescription></GroupDescription>SRG-NET-000042-VPN-000120The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. + +The banner is usually configured in NDM for client presentation as well as local logon. + +To establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97045SV-106183CCI-000050Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. + +If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.SRG-NET-000043<GroupDescription></GroupDescription>SRG-NET-000043-VPN-000130The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97047SV-106185CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.SRG-NET-000049<GroupDescription></GroupDescription>SRG-NET-000049-VPN-000150The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97049SV-106187CCI-000053Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.SRG-NET-000053<GroupDescription></GroupDescription>SRG-NET-000053-VPN-000170The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.<VulnDiscussion>VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. + +The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97051SV-106189CCI-000054Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). + +If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.SRG-NET-000062<GroupDescription></GroupDescription>SRG-NET-000062-VPN-000200The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97053SV-106191CCI-000068Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.SRG-NET-000063<GroupDescription></GroupDescription>SRG-NET-000063-VPN-000210The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.<VulnDiscussion>Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97055SV-106193CCI-001453Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.SRG-NET-000063<GroupDescription></GroupDescription>SRG-NET-000063-VPN-000220The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.<VulnDiscussion>Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. + +SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. + +The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106195V-97057CCI-001453Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + +If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.SRG-NET-000074<GroupDescription></GroupDescription>SRG-NET-000074-VPN-000250The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.<VulnDiscussion>Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106197V-97059CCI-000068Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.SRG-NET-000075<GroupDescription></GroupDescription>SRG-NET-000075-VPN-000260If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic.<VulnDiscussion>L2TPv3 sessions can be used to transport layer-2 protocols across an IP backbone. These protocols were intended for link-local scope only and are therefore less defended and not as well-known. As stated in DoD IPv6 IA Guidance for MO3 (S4-C7-1), the L2TP tunnels can also carry IP packets that are very difficult to filter because of the additional encapsulation. Hence, it is imperative that L2TP sessions are authenticated prior to transporting traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106363V-97225CCI-000068If the site-to-site VPN implementation uses L2TPv3, configure L2TPv3 sessions to authenticate the traffic before transit.If L2TP communications protocol is not used, this is not applicable. + +Verify L2TPv3 sessions are configured to authenticate the traffic before transit. L2TPv3 sessions must be authenticated prior to transporting traffic. + +If L2TPv3 sessions do not require authentication, this is a finding.SRG-NET-000077<GroupDescription></GroupDescription>SRG-NET-000077-VPN-000280The VPN Gateway must generate log records containing information to establish what type of events occurred.<VulnDiscussion>Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +VPN gateways often have a separate audit log for capturing VPN status and other information about the traffic (as opposed to the log capturing administrative and configuration actions). Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in the VPN gateway logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106199V-97061CCI-000130Configure the VPN Gateway to generate log records containing information to establish what type of events occurred.Verify the VPN Gateway generates log records containing information to establish what type of events occurred. + +If the VPN Gateway does not generate log records containing information to establish what type of events occurred, this is a finding.SRG-NET-000078<GroupDescription></GroupDescription>SRG-NET-000078-VPN-000290The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred.<VulnDiscussion>Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. + +VPN gateways often have a separate audit log for capturing VPN status and other information about the traffic (as opposed to the log capturing administrative and configuration actions). + +Associating event types with detected events in the network audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106201V-97063CCI-000131Configure the VPN Gateway to generate log records containing information to establish when (date and time) the events occurred.Configure the VPN Gateway generates log records containing information to establish when (date and time) the events occurred. + +If the VPN Gateway does not generate log records containing information to establish when (date and time) the events occurred, this is a finding.SRG-NET-000079<GroupDescription></GroupDescription>SRG-NET-000079-VPN-000300The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event.<VulnDiscussion>Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106203V-97065CCI-001487Configure the VPN Gateway to generate log records containing information that establishes the identity of any individual or process associated with the event.Verify the VPN Gateway generates log records containing information that establishes the identity of any individual or process associated with the event. + +If the VPN Gateway does not generate log records containing information that establishes the identity of any individual or process associated with the event, this is a finding.SRG-NET-000088<GroupDescription></GroupDescription>SRG-NET-000088-VPN-000310The VPN Gateway must generate log records containing information to establish where the events occurred.<VulnDiscussion>Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. + +In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know where events occurred, such as VPN gateway components, modules, device identifiers, node names, and functionality. + +Associating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106205V-97067CCI-000132Configure the VPN Gateway to generates log records containing information to establish where the events occurred.Verify the VPN Gateway generates log records containing information to establish where the events occurred. + +If the VPN Gateway does not generate log records containing information to establish where the events occurred, this is a finding.SRG-NET-000089<GroupDescription></GroupDescription>SRG-NET-000089-VPN-000330The VPN Gateway must generate log records containing information to establish the source of the events.<VulnDiscussion>Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event. + +In addition to logging where events occur within the network, the log records must also identify sources of events such as IP addresses, processes, and node or device names.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106207V-97069CCI-000133Configure the VPN Gateway to generate log records containing information to establish the source of the events.Verify the VPN Gateway generates log records containing information to establish the source of the events. + +If the VPN Gateway does not generate log records containing information to establish the source of the events, this is a finding.SRG-NET-000091<GroupDescription></GroupDescription>SRG-NET-000091-VPN-000350The VPN Gateway must produce log records containing information to establish the outcome of the events.<VulnDiscussion>Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the network. + +Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the network after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106209V-97071CCI-000134Configure the VPN Gateway to generate log entries containing information to establish the outcome of the events, such as, at a minimum, the success or failure of the client connection attempts.Examine the log configuration on the VPN Gateway or view several alert events on the organization's central audit server. Alternatively, examine the Central Log Server to see if it contains information about success or failure of client connection attempts or other events. + +If the traffic log entries do not include the success or failure of connection attempts and other events, this is a finding.SRG-NET-000098<GroupDescription></GroupDescription>SRG-NET-000098-VPN-000370The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally.<VulnDiscussion>Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured VPN gateway. Thus, it is imperative that the collected log data from the various VPN gateways, as well as the auditing tools, be secured and can only be accessed by authorized personnel. + +This requirement pertains to securing the VPN log as it is stored locally, on the box temporarily, or while being encapsulated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106211V-97073CCI-000162Configure the VPN Gateway to protect log information from unauthorized read access if all or some of this data is stored locally.Verify the VPN Gateway protects log information from unauthorized read access if all or some of this data is stored locally. + +If the VPN Gateway does not protect log information from unauthorized read access if all or some of this data is stored locally, this is a finding.SRG-NET-000099<GroupDescription></GroupDescription>SRG-NET-000099-VPN-000380The VPN Gateway log must protect audit information from unauthorized modification when stored locally.<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. + +This requirement pertains to securing the VPN log as it is stored locally, on the box temporarily, or while being encapsulated. + +This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. + +Audit information includes all information (e.g., log records, audit settings, and audit reports) needed to successfully audit information system activity. + +This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106213V-97075CCI-000163Configure the VPN Gateway log to protect audit information from unauthorized modification when stored locally. The method used depends on system architecture and design. Examples: ensuring log files receive the proper file system permissions and limiting log data locations.Verify the VPN Gateway log is configured to protect audit information from unauthorized modification when stored locally. + +The VPN Gateway log must protect audit information from unauthorized modification when stored locally, this is a finding.SRG-NET-000100<GroupDescription></GroupDescription>SRG-NET-000100-VPN-000390The VPN Gateway must protect audit information from unauthorized deletion when stored locally.<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. + +To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. + +This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. + +Audit information includes all information (e.g., log records, audit settings, and audit reports) needed to successfully audit information system activity. + +This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97077SV-106215CCI-000164Configure the VPN Gateway to protect audit information from unauthorized deletion when stored locally. Ensure log files receive the proper file system permissions and limiting log data locations.Verify the VPN Gateway is configured to protect audit information from unauthorized deletion when stored locally. + +If the VPN Gateway does not protect audit information from unauthorized deletion when stored locally, this is a finding.SRG-NET-000132<GroupDescription></GroupDescription>SRG-NET-000132-VPN-000450The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +DoD continually assesses the ports, protocols, and services that can be used for network communications. Some protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The PPSM CAL and vulnerability assessments provide an authoritative source for ports, protocols, and services that are unauthorized or restricted across boundaries on DoD networks. + +The VPN Gateway must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97079SV-106217CCI-000382Ensure functions, ports, protocols, and services identified on the PPSM CAL are not used for system services configuration. + +View the configured security services. + +Compare the services that are enabled, including the port, services, protocols, and functions. + +Consult the product knowledge base and configuration guides to determine the commands for disabling each port, protocols, services, or functions that is not in compliance with the PPSM CAL and vulnerability assessments.View the configured security services. + +Compare the services that are enabled, including the port, services, protocols, and functions. + +If functions, ports, protocols, and services identified on the PPSM CAL are not disabled, this is a finding.SRG-NET-000132<GroupDescription></GroupDescription>SRG-NET-000132-VPN-000460The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97081SV-106219CCI-000382Configure the IPsec VPN Gateway to use IKEv2 for IPsec VPN security associations.Verify the IPsec VPN Gateway uses IKEv2 for IPsec VPN security associations. + +If the IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations, this is a finding.SRG-NET-000132<GroupDescription></GroupDescription>SRG-NET-000132-VPN-000470The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.<VulnDiscussion>The PPTP and L2F are obsolete method for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have many well-known security issues and exploits. Encryption and authentication are both weak.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97083SV-106221CCI-000382Configure the VPN Gateway to prohibit PPTP and L2F.Verify the VPN Gateway is configured to prohibit PPTP and L2F. + +If the VPN Gateway does not be configured to prohibit PPTP and L2F, this is a finding.SRG-NET-000132<GroupDescription></GroupDescription>SRG-NET-000132-VPN-000480For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.<VulnDiscussion>Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer types (called pseudowires) can be and are defined for delivery in L2TP by separate RFC documents. Further complexity is created by the capability to define vender-specific parameters beyond those defined in the L2TP specifications. + +The endpoint devices of an L2TP connection can be an L2TP Access Concentrator (LAC) in which case it inputs/outputs the layer 2 protocol to/from the L2TP tunnel. Otherwise, it is an L2TP Network Server (LNS), in which case it inputs/outputs the layer 3 (IP) protocol to/from the L2TP tunnel. The specifications describe three reference models: LAC-LNS, LAC-LAC, and LNS-LNS, the first of which is the most common case. The LAC-LNS model allows a remote access user to reach his home network or ISP from a remote location. The remote access user connects to a LAC device which tunnels his connection home to an awaiting LNS. The LAC could also be located on the remote user's laptop, which connects to an LNS at home using some generic internet connection. The other reference models may be used for more obscure scenarios. + +Although the L2TP protocol does not contain encryption capability, it can be operated over IPsec, which would provide authentication and confidentiality. A remote user in the LAC-LNS model would most likely obtain a dynamically assigned IP address from the home network to ultimately use through the tunnel back to the home network. Secondly, the outer IP source address used to send the L2TP tunnel packet to the home network is likely to be unknown or highly variable. Thirdly, since the LNS provides the remote user with a dynamic IP address to use, the firewall at the home network would have to be dynamically updated to accept this address in conjunction with the outer tunnel address. Finally, there is also the issue of authentication of the remote user prior to divulging an acceptable IP address. Because of all of these complications, the strict filtering rules applied to the IP-in-IP and GRE tunneling cases will likely not be possible in the L2TP scenario. + +In addition to the difficulty of enforcing addresses and endpoints (as explained above), the L2TP protocol itself is a security concern if allowed through a security boundary. In particular: + +1) L2TP potentially allows link layer protocols to be delivered from afar. These protocols were intended for link-local scope only, are less defended, and not as well-known, +2) The L2TP tunnels can carry IP packets that are very difficult to see and filter because of the additional layer 2 overhead, +3) L2TP is highly complex and variable (vender-specific variability) and therefore would be a viable target that is difficult to defend. It is better left outside of the main firewall where less damage occurs if the L2TP-processing node is compromised, +4) Filtering cannot be used to detect and prevent other unintended layer 2 protocols from being tunneled. The strength of the application layer code would have to be relied on to achieve this task, +5) Regardless of whether the L2TP is handled inside or outside of the main network, a secondary layer of IP filtering is required; therefore bringing it inside does not save resources. + +Therefore, it is not recommended to allow unencrypted L2TP packets across the security boundary into the network's protected areas. Reference the Backbone Transport STIG for additional L2TP guidance and use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97085SV-106223CCI-000382If L2TP is used for encapsulation, configure the VPN Gateway or other network element to block or deny this communications protocol unencrypted L2TP packets across the security boundary and into the private network of the enclave.If L2TP communications protocol is not used, this is not applicable. + +Verify the VPN Gateway or another network element (e.g., firewall) is configure to block or deny L2TP packets with a destination address within the private network of the enclave. + +If L2TP communications are allowed to cross the security boundary into the private network of the enclave, this is a finding.SRG-NET-000138<GroupDescription></GroupDescription>SRG-NET-000138-VPN-000490The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. + +Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. + +(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and + +(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals' in-group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97087SV-106225CCI-000764Configure the VPN Gateway to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Verify the VPN Gateway is configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). + +If the VPN Gateway does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.SRG-NET-000140<GroupDescription></GroupDescription>SRG-NET-000140-VPN-000500The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.<VulnDiscussion>To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. + +Multifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for non-privileged account is not authorized. + +Factors include: +(i) Something you know (e.g., password/PIN); +(ii) Something you have (e.g., cryptographic identification device, token); or +(iii) Something you are (e.g., biometric). + +A non-privileged account is any information system account with authorizations of a non-privileged user. + +Network access is any access to a network element by a user (or a process acting on behalf of a user) communicating through a network. + +The DoD CAC with DoD-approved PKI is an example of multifactor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97089SV-106227CCI-000766Configure the VPN Gateway to use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.Verify the VPN Gateway uses multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. + +If the VPN Gateway does not use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts, this is a finding.SRG-NET-000145<GroupDescription></GroupDescription>SRG-NET-000145-VPN-000510The VPN Client must implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. + +A non-privileged account is any information system account with authorizations of a non-privileged user. + +Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97091SV-106229CCI-001939Configure the VPN Client to implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.Verify the VPN Client implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. + +If the VPN Client does not implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.SRG-NET-000147<GroupDescription></GroupDescription>SRG-NET-000147-VPN-000520The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts.<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. + +An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. + +A non-privileged account is any operating system account with authorizations of a non-privileged user. + +Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97093SV-106231CCI-001942Configure the TLS VPN Gateway to use replay-resistant authentication mechanisms for network access to non-privileged accounts.Verify the TLS VPN Gateway is configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts. + +If the TLS VPN is not configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.SRG-NET-000147<GroupDescription></GroupDescription>SRG-NET-000147-VPN-000530The IPsec VPN Gateway must use anti-replay mechanisms for security associations.<VulnDiscussion>Anti-replay is an IPsec security mechanism at a packet level, which helps to avoid unwanted users from intercepting and modifying an ESP packet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97095SV-106233CCI-001942Configure the IPsec VPN Gateway to use anti-replay mechanisms for security associations.Verify the IPsec VPN Gateway uses anti-replay mechanisms for security associations. + +If the IPsec VPN Gateway does not use anti-replay mechanisms for security associations, this is a finding.SRG-NET-000148<GroupDescription></GroupDescription>SRG-NET-000148-VPN-000540The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions. + +This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97097SV-106235CCI-000778Configure the VPN Gateway to uniquely identify all network-connected endpoint devices before establishing a connection.Verify the VPN Gateway uniquely identifies all network-connected endpoint devices before establishing a connection. + +If the VPN Gateway does not uniquely identify all network-connected endpoint devices before establishing a connection, this is a finding.SRG-NET-000164<GroupDescription></GroupDescription>SRG-NET-000164-VPN-000560The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality and integrity of communications. The information system must create trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is most often used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. However, applications that do not use a trusted path are not approved for non-local and remote management of DoD information systems. + +Use of SSHv2 to establish a trusted channel is approved. Use of FTP, TELNET, HTTP, and SNMPV1 is not approved since they violate the trusted channel rule set. Use of web management tools that are not validated by common criteria may also violate the trusted channel rule set. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97099SV-106237CCI-000185Configure the VPN Gateway to use PKI-based authentication that validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Verify the VPN Gateway to use PKI-based authentication that validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + +If PKI-based authentication does not validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.SRG-NET-000165<GroupDescription></GroupDescription>SRG-NET-000165-VPN-000570The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.<VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. + +The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to authenticate to network devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97101SV-106239CCI-000186Configure the site-to-site VPN that uses certificate-based device authentication to use a FIPS-compliant key management process.If PKI-based authentication is not being used for device authentication, this is not applicable. + +Verify the site-to-site VPN that uses certificate-based device authentication uses a FIPS-compliant key management process. + +If the site-to-site VPN that uses certificate-based device authentication does not use a FIPS-compliant key management process, this is a finding.SRG-NET-000166<GroupDescription></GroupDescription>SRG-NET-000166-VPN-000580The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.<VulnDiscussion>The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106241V-97103CCI-000187Configure the Remote Access VPN Gateway to use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.Verify the Remote Access VPN Gateway is configured to use a physically separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. + +If the Remote Access VPN Gateway does not use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication, this is a finding.SRG-NET-000166<GroupDescription></GroupDescription>SRG-NET-000166-VPN-000590The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. + +This requirement only applies to components where this is specific to the function of the device or has the concept of a user (e.g., VPN or ALG. This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106251V-97113CCI-000187Configure the VPN Gateway to map the authenticated identity to the user account for PKI-based authentication.Verify the VPN Gateway maps the authenticated identity to the user account for PKI-based authentication. + +If the VPN Gateway does not map the authenticated identity to the user account for PKI-based authentication, this is a finding.SRG-NET-000168<GroupDescription></GroupDescription>SRG-NET-000168-VPN-000600The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-2 for integrity of remote access sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106253V-97115CCI-000803Configure the VPN Gateway to use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.Verify the VPN Gateway uses FIPS-validated SHA-2 or higher. + +If the VPN Gateway does not use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification, this is a finding.SRG-NET-000169<GroupDescription></GroupDescription>SRG-NET-000169-VPN-000610The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).<VulnDiscussion>Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a VPN gateway that provides opportunity for intruders to compromise resources within the network infrastructure. + +This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106255V-97117CCI-000804Configure the VPN Gateway to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).Configure the VPN Gateway to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). + +If the VPN Gateway does not uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users), this is a finding.SRG-NET-000205<GroupDescription></GroupDescription>SRG-NET-000205-VPN-000710The VPN Gateway must be configured to route sessions to an IDPS for inspection.<VulnDiscussion>Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best. + +Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. + +Automated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106257V-97119CCI-001097Configure the VPN Gateway to route sessions to an IDPS for inspection.Verify the VPN Gateway routes sessions to an IDPS for inspection. + +If the VPN Gateway is not configured to route sessions to an IDPS for inspection, this is a finding.SRG-NET-000213<GroupDescription></GroupDescription>SRG-NET-000213-VPN-000720The VPN Gateway must terminate all network connections associated with a communications session at the end of the session.<VulnDiscussion>Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally, the opposite end of the connection may still believe the session is available. These “orphaned” sessions use up valuable router resources and can be hijacked by an attacker. To mitigate this risk, routers must be configured to send periodic keep alive messages to check that the remote end of a session is still connected. If the remote device fails to respond to the TCP keep alive message, the sending router will clear the connection and free resources allocated to the session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106259V-97121CCI-001133Configure the VPN Gateway to terminate all network connections associated with a communications session at the end of the session.Verify the VPN Gateway terminates all network connections associated with a communications session at the end of the session. + +If the VPN Gateway does not terminate all network connections associated with a communications session at the end of the session, this is a finding.SRG-NET-000230<GroupDescription></GroupDescription>SRG-NET-000230-VPN-000770The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. + +VPN gateways utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106261V-97123CCI-001184Configure the VPN Gateway to use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.Verify the VPN Gateway uses FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. + +If the VPN Gateway does not use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module, this is a finding.SRG-NET-000230<GroupDescription></GroupDescription>SRG-NET-000230-VPN-000780The IPSec VPN must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE).<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured to use SHA-2 for integrity of remote access sessions. + +This requirement is applicable to the configuration of IKE Phase 1 and Phase 2.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106263V-97125CCI-001184Configure the IPsec VPN Gateway to use IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions.Verify the IPsec VPN Gateway uses IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions. + +If the IPsec VPN Gateway is not configured to use IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions, this is a finding.SRG-NET-000231<GroupDescription></GroupDescription>SRG-NET-000231-VPN-000790The VPN Gateway must invalidate session identifiers upon user logoff or other session termination.<VulnDiscussion>Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. + +Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the VPN gateway must terminate the user session to minimize the potential for an attacker to hijack that particular user session. + +This requirement focuses on communications protection for the application session rather than for the network packet. + +This requirement applies only to any VPN gateway that is an intermediary of individual sessions (e.g., proxy, ALG, or SSL VPN). This requirement focuses on communications protection at the application session, versus network packet level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97127SV-106265CCI-001185Configure the VPN Gateway to invalidate session identifiers upon user logoff or other session termination.Verify the VPN Gateway invalidates session identifiers upon user logoff or other session termination. + +If the VPN Gateway does not invalidate session identifiers upon user logoff or other session termination, this is a finding.SRG-NET-000233<GroupDescription></GroupDescription>SRG-NET-000233-VPN-000800The VPN Gateway must recognize only system-generated session identifiers.<VulnDiscussion>VPN gateways (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the valid user's application session can be compromised. + +Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. + +This requirement focuses on communications protection for the application session rather than for the network packet. + +This requirement applies to any VPN gateway that is an intermediary of individual sessions (e.g., proxy, ALG, TLS VPN). VPN gateways that perform these functions must be able to identify which session identifiers were generated when the sessions were established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97129SV-106267CCI-001664Configure the VPN Gateway to recognize only system-generated session identifiers.Verify the VPN Gateway recognizes only system-generated session identifiers. + +If the VPN Gateway does not recognize only system-generated session identifiers, this is a finding.SRG-NET-000234<GroupDescription></GroupDescription>SRG-NET-000234-VPN-000810The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.<VulnDiscussion>Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97131SV-106269CCI-001188Configure the VPN Gateway to generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.Verify the VPN Gateway generates unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. + +If the VPN Gateway does not generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm, this is a finding.SRG-NET-000235<GroupDescription></GroupDescription>SRG-NET-000235-VPN-000820The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.<VulnDiscussion>Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. VPN gateways that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption to mission-essential processes. + +Abort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97133SV-106271CCI-001190Configure the VPN Gateway to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.Verify the VPN Gateway is configured to fail to a secure state if system initialization fails, shutdown fails, or aborts fail. + +If the VPN Gateway does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.SRG-NET-000313<GroupDescription></GroupDescription>SRG-NET-000313-VPN-001050The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.<VulnDiscussion>Remote access devices, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and makes remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Remote access functionality, such as remote access servers, VPN concentrators, and IDS/IPS devices, must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97135SV-106273CCI-002314Configure the VPN Gateway to be configured to perform an organization-defined action if the audit reveals unauthorized activity.Verify the VPN Gateway is configured to perform an organization-defined action if the audit reveals unauthorized activity. + +If the VPN Gateway does not be configured to perform an organization-defined action if the audit reveals unauthorized activity, this is a finding.SRG-NET-000314<GroupDescription></GroupDescription>SRG-NET-000314-VPN-001060The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed.<VulnDiscussion>Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking progress would not be immediately stopped. + +Remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission functions and the need to eliminate immediate or future remote access to organizational information systems. + +The remote access functionality (e.g., VPN, ALG, and RAS) may implement features, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97137SV-106275CCI-002322Configure the VPN Gateway for functionality, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack. + +Configure authorized system administrator accounts to allow them to disconnect or disable remote access to remove user under circumstances defined in the VPN SSP.Configure the VPN Gateway for functionality, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack. + +Configure authorized system administrator accounts to allow them to disconnect or disable remote access to remove user under circumstances defined in the VPN SSP. + +If the VPN Gateway administrator accounts or security policy is not configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed, this is a finding.SRG-NET-000317<GroupDescription></GroupDescription>SRG-NET-000317-VPN-001090The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. + +Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. + +AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DoD. For an algorithm implementation to be listed on a FIPS 140-2 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97139SV-106277CCI-000068Configure the IPsec Gateway to use AES with IKE. The option on the IKE Phase 1 proposal may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.Verify all IKE proposals are set to use the AES encryption algorithm. + +View the value of the encryption algorithm for each defined proposal. + +If the value of the encryption algorithm for any IKE proposal is not set to use an AES algorithm, this is a finding.SRG-NET-000320<GroupDescription></GroupDescription>SRG-NET-000320-VPN-001120The VPN Gateway must transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions.<VulnDiscussion>Protecting authentication communications between the client, the VPN Gateway, and the authentication server keeps this critical information from being exploited. + +In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. + +This applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97141SV-106279CCI-002353Configure the VPN Gateway to transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions.Verify the VPN Gateway transmits organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions. + +If the VPN Gateway does not transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions, this is a finding.SRG-NET-000330<GroupDescription></GroupDescription>SRG-NET-000330-VPN-001220The VPN Gateway must notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information deemed important by the organization may aid in the discovery of unauthorized access or thwart a potential attacker. + +Organizations should consider the risks to the specific information system being accessed and the threats presented by the device to the environment when configuring this option. An excessive or unnecessary amount of information presented to the user at logon is not recommended. + +This requirement applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97143SV-106281CCI-002250Configure the VPN Gateway to notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).Verity the VPN Gateway notifies the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access). + +If the VPN Gateway does not notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access), this is a finding.SRG-NET-000333<GroupDescription></GroupDescription>SRG-NET-000333-VPN-001250The VPN Gateway must provide centralized management and configuration of the content to be captured in log records generated by all network components.<VulnDiscussion>Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. + +The content captured in log records must be managed from a central location (necessitating automation). Centralized management of log records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Network components requiring centralized audit log management must have the capability to support centralized management. + +The DoD requires centralized management of all network component audit record content. + +This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97145SV-106283CCI-001844Configure the VPN Gateway to provide centralized management and configuration of the content to be captured in log records generated by all network components.Verify the VPN Gateway provides centralized management and configuration of the content to be captured in log records generated by all network components. + +If the VPN Gateway does not provide centralized management and configuration of the content to be captured in log records generated by all network components, this is a finding.SRG-NET-000334<GroupDescription></GroupDescription>SRG-NET-000334-VPN-001260The VPN Gateway must off-load audit records onto a different system or media than the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106285V-97147CCI-001851Configure the VPN Gateway to off-load audit records onto a different system or media than the system being audited.Verify the VPN Gateway off-loads log records onto a different system or media than the system being audited. + +If the VPN Gateway does not off-load audit records onto a different system or media than the system being audited, this is a finding.SRG-NET-000335<GroupDescription></GroupDescription>SRG-NET-000335-VPN-001270The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. + +Alerts provide organizations with urgent messages. Automated alerts can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. + +While this requirement also applies to the event monitoring system (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers), the VPN Gateway must also be configured to generate a message to the administrator console. + +The VPN daemon facility and log facility are messages in the log, which capture actions performed or errors encountered by system processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106287V-97149CCI-001858Configure the VPN Gateway to generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.Verify the VPN Gateway generates a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. + +If the VPN Gateway does not generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server, this is a finding.SRG-NET-000336<GroupDescription></GroupDescription>SRG-NET-000336-VPN-001280When communications with the Central Log Server is lost, the VPN Gateway must continue to queue traffic log records locally.<VulnDiscussion>If the system were to continue processing after audit failure, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis. + +Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the application supporting the core organizational missions/business operations. In those instances, partial application shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. + +This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106289V-97151CCI-001861Configure the VPN Gateway to continue to queue traffic log records locally when communications with the Central Log Server is lost.Verify that in the event that communications with the Central Log Server is lost, the VPN Gateway is configured to continue to queue traffic log records locally. + +If the VPN Gateway does not continue to queue traffic log records locally when communications with the Central Log Server is lost, this is a finding.SRG-NET-000337<GroupDescription></GroupDescription>SRG-NET-000337-VPN-001290The VPN Gateway must renegotiate the IPsec security association after eight hours or less.<VulnDiscussion>The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The longer the lifetime of the IPsec SA, the longer the lifetime of the session key used to protect IP traffic. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter lifetime causes IPsec peers to renegotiate Phase II more often resulting in the expenditure of additional resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106291V-97153CCI-002038Configure the VPN Gateway to renegotiate the IPsec security association after eight hours or less.Verify the VPN Gateway renegotiates the IPsec security association after eight hours or less.SRG-NET-000337<GroupDescription></GroupDescription>SRG-NET-000337-VPN-001300The VPN Gateway must renegotiate the IKE security association after eight hours or less.<VulnDiscussion>When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106293V-97155CCI-002038Configure the VPN Gateway to renegotiate the IKE security association after eight hours or less. Verify the VPN Gateway renegotiates the IKE security association after eight hours or less. + +If the VPN Gateway does not renegotiate the IKE security association after eight hours or less, this is a finding.SRG-NET-000341<GroupDescription></GroupDescription>SRG-NET-000341-VPN-001350The VPN Gateway must accept the Common Access Card (CAC) credential.<VulnDiscussion>The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC as the PIV credential to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97157SV-106295CCI-001953Configure the VPN Gateway to accept the CAC credential.Verify the VPN Gateway accepts PIV credentials. + +If the VPN Gateway does not accept the CAC credential, this is a finding.SRG-NET-000342<GroupDescription></GroupDescription>SRG-NET-000342-VPN-001360The VPN Gateway must electronically verify the Common Access Card (CAC) credential.<VulnDiscussion>DoD has mandated the use of the CAC as the Personal Identity Verification (PIV) credential to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97159SV-106297CCI-001954Configure the VPN Gateway to electronically verify the CAC credential.Verify the VPN Gateway electronically verifies the CAC credential. + +If the VPN Gateway does not electronically verify Personal Identity Verification (PIV) credentials, this is a finding.SRG-NET-000343<GroupDescription></GroupDescription>SRG-NET-000343-VPN-001370The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. + +This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply. + +Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106315V-97177CCI-001958Configure the VPN Gateway to authenticate all network-connected endpoint devices before establishing a connection.Verity the VPN Gateway authenticates all network-connected endpoint devices before establishing a connection. + +If the VPN Gateway does not authenticate all network-connected endpoint devices before establishing a connection, this is a finding.SRG-NET-000352<GroupDescription></GroupDescription>SRG-NET-000352-VPN-001460The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. + +The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by NIST and are used by NSA's Information Assurance Directorate in solutions approved for protecting classified and unclassified NSS. However, quantum resistant algorithms will be required for future required Suite B implementations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106317V-97179CCI-002450Configure the VPN Gateway to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.Verify the VPN Gateway uses an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. + +If the VPN Gateway does not use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network, this is a finding.SRG-NET-000369<GroupDescription></GroupDescription>SRG-NET-000369-VPN-001620The VPN Gateway must disable split-tunneling for remote clients VPNs.<VulnDiscussion>Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. + +A VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the Internet. With split tunneling enabled, a remote client has access to the Internet while at the same time has established a secured path to the enclave via an IPsec tunnel. A remote client connected to the Internet that has been compromised by an attacker in the Internet, provides an attack base to the enclave’s private network via the IPsec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106319V-97181CCI-002397Configure the VPN Gateway to disable split-tunneling for remote clients VPNs.Verify the VPN Gateway disables split-tunneling for remote clients VPNs. + +If the VPN Gateway does not disable split-tunneling for remote clients VPNs, this is a finding.SRG-NET-000371<GroupDescription></GroupDescription>SRG-NET-000371-VPN-001640The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.<VulnDiscussion>PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications. + +The phase 2 (Quick Mode) Security Association (SA) is used to create an IPsec session key. Hence, its rekey or key regeneration procedure is very important. The phase 2 rekey can be performed with or without PFS. With PFS, every time a new IPsec Security Association is negotiated during the Quick Mode, a new Diffie-Hellman (DH) exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce) from phase 1 for generating a new IPsec session key. If PFS is not used, the IPsec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised. + +The DH exchange is performed in the same manner as was done in phase 1 (Main or Aggressive Mode). However, the phase 2 exchange is protected by encrypting the phase 2 packets with the key derived from the phase 1 negotiation. Because DH negotiations during phase 2 are encrypted, the new IPsec session key has an added element of secrecy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106321V-97183CCI-002418Configure the IPsec VPN Gateway to specify PFS during IKE negotiation.Verify the IPsec VPN Gateway specifies PFS during IKE negotiation. + +If the IPsec VPN Gateway does not specify PFS during IKE negotiation, this is a finding.SRG-NET-000371<GroupDescription></GroupDescription>SRG-NET-000371-VPN-001650The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. + +This requirement also applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +For example, configure all ISAKMP policies to use AES for Internet Key Exchange (IKE) cryptographic encryption operations and SHA-2 to protect data integrity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97185SV-106323CCI-002418Configure the VPN Gateway and the remote access client to protect the confidentiality and integrity of transmitted information.Verify the VPN Gateway and the remote access client are configured to protect the confidentiality and integrity of transmitted information. + +If VPN Gateway and Client does not protect the confidentiality and integrity of transmitted information, this is a finding.SRG-NET-000375<GroupDescription></GroupDescription>SRG-NET-000375-VPN-001690The IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.<VulnDiscussion>ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header information. + +ESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPsec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted, whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPsec gateways or between an IPsec gateway and an end-station running IPsec software. Hence, it is the only method to provide a secured path to transport traffic between remote sites or end-stations and the central site.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106325V-97187CCI-002423Configure the IPsec VPN Gateway to use ESP in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.Verify the IPsec VPN Gateway uses ESP in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations. + +If the IPsec VPN Gateway does not enable ESP tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations, this is a finding.SRG-NET-000400<GroupDescription></GroupDescription>SRG-NET-000400-VPN-001940For accounts using password authentication, the site-to-site VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. + +Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-2 for integrity of remote access sessions. + +The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. + +Pre-shared key cipher suites may only be used in networks where both the client and server belong to the same organization. Cipher suites using pre-shared keys shall not be used with TLS 1.0 or 1.1 and shall not be used with TLS 1.2 when a Government client or server communicates with non-government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97189SV-106327CCI-000197For accounts using password authentication, configure the VPN Gateway to use SHA-2 or later protocol to protect the integrity of the password authentication process.For accounts using password authentication, verify the VPN Gateway uses SHA-2 or later protocol to protect the integrity of the password authentication process. + +For accounts using password authentication, if the VPN Gateway does not use SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.SRG-NET-000492<GroupDescription></GroupDescription>SRG-NET-000492-VPN-001980The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur.<VulnDiscussion>Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. + +Log records can be generated from various components within the information system (e.g., module or policy filter). + +This requirement only applies to components where this is specific to the function of the device, such as application layer gateway (ALG), which provides these access control and auditing functions on behalf of an application. This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97191SV-106329CCI-000172Configure the VPN Gateway to generate log records when successful and/or unsuccessful VPN connection attempts occur.Verify the VPN Gateway generates log records when successful and/or unsuccessful VPN connection attempts occur. + +If the VPN Gateway does not generate log records when successful and/or unsuccessful VPN connection attempts occur, this is a finding.SRG-NET-000510<GroupDescription></GroupDescription>SRG-NET-000510-VPN-002160The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes.<VulnDiscussion>FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plain text. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. + +The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the product being evaluated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97193SV-106331CCI-002450Configure the VPN Gateway to use a FIPS-validated cryptographic module to generate cryptographic hashes.Verify the VPN Gateway uses a FIPS-validated cryptographic module to generate cryptographic hashes. + +If the VPN Gateway does not use a FIPS-validated cryptographic module to generate cryptographic hashes, this is a finding.SRG-NET-000510<GroupDescription></GroupDescription>SRG-NET-000510-VPN-002170The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.<VulnDiscussion>FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plain text. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. + +The cryptographic module used must have one FIPS-validated encryption algorithm (i.e., validated Advanced Encryption Standard [AES]). This validated algorithm must be used for encryption for cryptographic security function within the product being evaluated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97195SV-106333CCI-002450Configure the VPN Gateway to use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.Verify the VPN Gateway uses a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. + +If the VPN Gateway does not use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, this is a finding.SRG-NET-000510<GroupDescription></GroupDescription>SRG-NET-000510-VPN-002180The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97197SV-106335CCI-002450Configure the IPsec VPN Gateway IKE to use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.Verify the IPsec VPN Gateway IKE uses a NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. + +If the IPsec VPN Gateway IKE does not use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic, this is a finding.SRG-NET-000512<GroupDescription></GroupDescription>SRG-NET-000512-VPN-002220The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).<VulnDiscussion>Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. + +An IPsec SA is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations are established when needed and expire after a period of time or volume of traffic threshold. If manually configured, they are established as soon as the configuration is complete at both end points and they do not expire. When using IKE, the Security Parameter Index (SPI) for each security association is a pseudo-randomly derived number. + +With manual configuration of the IPsec security association, both the cipher key and authentication key are static. Hence, if the keys are compromised, the traffic being protected by the current IPsec tunnel can be decrypted as well as traffic in any future tunnels established by this SA. Furthermore, the peers are not authenticated prior to establishing the SA, which could result in a rogue device establishing an IPsec SA with either of the VPN end points. + +IKE provides primary authentication to verify the identity of the remote system before negotiation begins. This feature is lost when the IPsec security associations are manually configured, which results in a non-terminating session using static pre-shared keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97199SV-106337CCI-000366Configure the IPsec VPN Gateway to use IKE and IPsec VPN SAs.Verify the IKE protocol is specified for all IPsec VPNs. + +If the IKE protocol is not specified as an option on all VPN gateways, this is a finding.SRG-NET-000518<GroupDescription></GroupDescription>SRG-NET-000518-VPN-002280The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway.<VulnDiscussion>If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. + +However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. + +This applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97203SV-106341CCI-002363Configure the VPN Client logout log out function must be configured to terminate the session on/with the VPN Gateway.Verify the VPN Client logout function is configured to terminate the session on/with the VPN Gateway. + +If the VPN Client logout function does not terminate the session on/with the VPN Gateway, this is a finding.SRG-NET-000519<GroupDescription></GroupDescription>SRG-NET-000519-VPN-002290The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.<VulnDiscussion>If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. + +Logout messages for access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. + +This applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106343V-97205CCI-002364Configure the VPN Client to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.Verify the VPN Client displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. + +If the VPN Client does not display an explicit logout message to users indicating the reliable termination of authenticated communications sessions, this is a finding.SRG-NET-000522<GroupDescription></GroupDescription>SRG-NET-000522-VPN-002320For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).<VulnDiscussion>Pre-shared keys need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. + +NIST SP 800-52 Rev 2 provides guidance for using pre-shared keys with VPN gateways. PSKs may only be used in networks where both the client and server belong to the same organization. + +PSKs used for site-to-site VPNs are considered by the SRG as a type of password. If this shared secret is already encrypted and not in plaintext, this meets this requirement. This requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. + +Use a keyed hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106345V-97207CCI-000196Configure the VPN Gateway to store only cryptographic representations of the PSK.Verify the VPN Gateway stores only cryptographic representations of the PSK. + +If the VPN Gateway does not store only cryptographic representations of the PSK, this is a finding.SRG-NET-000525<GroupDescription></GroupDescription>SRG-NET-000525-VPN-002330The IPsec VPN must use AES256 or greater encryption for the IPsec proposal to protect the confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. + +Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. + +A block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication. + +AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DOD. For an algorithm implementation to be listed on a FIPS 140-2/140-3 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2/140-3 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106347V-97209CCI-000068Configure the IPsec Gateway to use AES256 or greater for the IPsec proposal.Verify all Internet Key Exchange (IKE) proposals are set to use the AES256 or greater encryption algorithm. + +View the value of the encryption algorithm for each defined proposal. + +If the value of the encryption algorithm for any IPsec proposal is not set to use an AES256 or greater algorithm, this is a finding.SRG-NET-000530<GroupDescription></GroupDescription>SRG-NET-000530-VPN-002340The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +This requirement applies to TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or public-facing servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106349V-97211CCI-001453Configure the TLS VPN Gateway that supports Government-only services to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.Verify the TLS VPN Gateway that supports Government-only services prohibits client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. + +If the TLS VPN Gateway that supports Government-only services does not prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0, this is a finding.SRG-NET-000540<GroupDescription></GroupDescription>SRG-NET-000540-VPN-002350The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +This requirement applies to public-facing or external-facing devices such as TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance. + +The minimum TLS version required by DoD is 1.2. However, devices and applications may allow client negotiation for systems supporting citizen- and business-facing applications. These devices may be configured to support TLS version 1.1 and 1.0 to enable interaction with citizens and businesses. These devices must not support SSL version 3.0 or earlier.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106351V-97213CCI-001453Configure the TLS VPN Gateway that supports citizen- or business-facing network devices to prohibit client negotiation to SSL 2.0 or SSL 3.0.Verify the TLS VPN Gateway that supports citizen- or business-facing network devices prohibits client negotiation to SSL 2.0 or SSL 3.0. + +If the TLS VPN Gateway that supports citizen- or business-facing network devices does not prohibit client negotiation to SSL 2.0 or SSL 3.0, this is a finding.SRG-NET-000550<GroupDescription></GroupDescription>SRG-NET-000550-VPN-002360The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.<VulnDiscussion>Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. + +SNMPv3 supports authentication, authorization, access control, and privacy, while previous versions of the protocol contained well-known security weaknesses, which were easily exploited. SNMPv3 can be configured for identification and bidirectional, cryptographically based authentication. + +A typical SNMP implementation includes three components: managed device, SNMP agent, and NMS. The SNMP agent is the SNMP process that resides on the managed device and communicates with the network management system. The NMS is a combination of hardware and software that is used to monitor and administer a network. The SNMP data is stored in a highly structured, hierarchical format known as a management information base (MIB). The SNMP manager collects information about network connectivity, activity, and events by polling managed devices. + +SNMPv3 defines a user-based security model (USM), and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection. + +SNMPv3 server services must not be configured on products whose primary purpose is not to provide SNMP services. SNMP client services may be configured on the VPN gateway, application, or operating system to allow limited monitoring or querying of the device from by an SNMP server for management purposes. SNMP of any version will not be used to make configuration changes to the device. SNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication. + +Currently, the AES cipher block algorithm can be used for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption) in DoD. The use of FIPS-approved algorithms for both cryptographic mechanisms is required. If any version of SNMP is used for remote administration, default SNMP community strings such as "public" and "private" should be removed before real community strings are put into place. If the defaults are not removed, an attacker could retrieve real community strings from the device using the default string.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106353V-97215CCI-001967For the VPN Gateway that provides a SNMP NMS, configure SNMPv3 to use FIPS-validated AES cipher block algorithm.Verify the VPN Gateway that provides a SNMP NMS is configured to use SNMPv3 to use FIPS-validated AES cipher block algorithm. + +If the VPN Gateway that provides a SNMP NMS does not configure SNMPv3 to use FIPS-validated AES cipher block algorithm, this is a finding.SRG-NET-000565<GroupDescription></GroupDescription>SRG-NET-000565-VPN-002390The VPN remote access server must be configured use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated. + +NIST cryptographic algorithms approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC program, the approved algorithms have been changed to more stringent protocols configure with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm Suite (CNSA Suite) replaces Suite B.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106355V-97217CCI-002450Configure the IPsec VPN Gateway to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network.Verify the VPN gateway is configured to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network. + +If the VPN gateway is not configured to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network, this is a finding.SRG-NET-000565<GroupDescription></GroupDescription>SRG-NET-000565-VPN-002400The VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated. + +NIST cryptographic algorithms approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC program, the approved algorithms have been changed to more stringent protocols configure with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm Suite (CNSA Suite) replaces Suite B.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106357V-97219CCI-002450Configure the IPsec VPN Gateway Internet Key Exchange (IKE) to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network.Verify the VPN gateway IKE Phase 1 and Phase 2 are configured to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network. + +If the VPN gateway is not configured to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network, this is a finding.SRG-NET-000580<GroupDescription></GroupDescription>SRG-NET-000580-VPN-002410The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.<VulnDiscussion>A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. + +Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106359V-97221CCI-000185Configure the VPN Gateway to validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.Verify the VPN Gateway validates TLS certificates by performing RFC 5280-compliant certification path validation. + +If the VPN Gateway does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.SRG-NET-000213<GroupDescription></GroupDescription>SRG-NET-000213-VPN-000721The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period.<VulnDiscussion>This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. + +Best practice is to terminate inactive user sessions after a period; however, when setting timeouts to any VPN connection, the organization must take into consideration the risk to the mission and the purpose of the VPN. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement. + +To determine if and when the VPN connections warrant termination, the organization must perform a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at significant risk. + +The organization must document the results and the determination of the risk assessment in the VPN section of the SSP. The organization must also configure VPN session terminations in accordance with the risk assessment. +Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. + +This requirement applies to any network element that tracks individual sessions (e.g., stateful inspection firewall, ALG, or VPN).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001133CCI-000057This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement. + +Conduct a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at risk of failure. + +Identify the organizations' VPN session termination periodic value based on the risk assessment. Add the results of the risk assessment and the session termination values to the site's SSP documents. + +Configure the VPN gateway to periodically terminate all remote network connections in accordance with the values defined in the SSP.This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement. + +Review the system security plan. Verify the VPN gateway session termination is configured in accordance with the value specified in the SSP. + +If a risk assessment has not been conducted and an organization-defined session termination period is not addressed/documented in the SSP, this is a finding. + +If the VPN gateway is not configured to terminate all remote access network connections in accordance with the values defined in the SSP, this is a finding.SRG-NET-000345-VPN-002430<GroupDescription></GroupDescription>SRG-NET-000345-VPN-002430The VPN Gateway must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.<VulnDiscussion>Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). + +This requirement only applies to components where this is specific to the function of the device or has the concept of a user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001991If PKI-based user authentication intermediary services are provided, configure the VPN to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.If the VPN does not provide PKI-based user authentication intermediary services, this is not applicable. + +Verify the VPN implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. + +If the VPN does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding. +SRG-NET-000580-VPN-002431<GroupDescription></GroupDescription>SRG-NET-000580-VPN-002431The VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session.<VulnDiscussion>Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. One example is if the certificate is known to have been compromised. + +When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid. If the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001991Configure the VPN Gateway to reject user certificates that have been revoked when using DOD PKI for authentication.Verify the VPN Gateway rejects user certificates that have been revoked when using DOD PKI for authentication. + +If the VPN Gateway does not configure OCSP and/or CRL to reject revoked user credentials that are prohibited from establishing an allowed session, this is a finding. +SRG-NET-000580-VPN-002432<GroupDescription></GroupDescription>SRG-NET-000580-VPN-002432The VPN Gateway must configure OCSP to ensure revoked machine certificates are prohibited from establishing an allowed session.<VulnDiscussion>Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. + +When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid. If the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001991Configure the VPN Gateway to reject machine certificates that have been revoked when using DOD PKI for authentication.Verify the VPN Gateway rejects machine certificates that have been revoked when using DOD PKI for authentication. + +If the VPN Gateway does not configure OCSP and/or CRL to reject revoked machine credentials that are prohibited from establishing an allowed session, this is a finding. +SRG-NET-000355-VPN-002433<GroupDescription></GroupDescription>SRG-NET-000355-VPN-002433The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions.<VulnDiscussion>Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. + +The DOD will only accept PKI certificates obtained from a DOD-approved internal or external Certificate Authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Internet Key Exchange (IKE). + +This requirement focuses on communications protection for the application session rather than for the network packet. VPN gateways that perform these functions must be able to identify which session identifiers were generated when the sessions were established. Certificates for both user and machines must be validated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-002470Configure the VPN Gateway to only allow the use of DOD PKI-established CAs for the establishment of VPN sessions. Configure validation for both the user and machine certificates.If the VPN Gateway does not provide PKI-based user authentication intermediary services, this is not applicable. + +Verify the VPN Gateway only allows the use of DOD PKI-established CA for verification when establishing VPN sessions. + +Verify both user and machine certificates are being validated when establishing VPN sessions. + +If the VPN Gateway does not validate user and machine certificates using DOD PKI-established certificate authorities, this is a finding.SRG-NET-000019-VPN-002435<GroupDescription></GroupDescription>SRG-NET-000019-VPN-002435The TLS VPN must be configured to limit authenticated client sessions to initial session source IP.<VulnDiscussion>Limiting authenticated client sessions to the initial session source IP for TLS VPNs is a safeguard against session hijacking, replay, and man-in-the-middle attacks, maintaining integrity and confidentiality of communication between clients and servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001414Configure the TLS VPN Gateway to limit authenticated client sessions to initial session source IP.Verify the TLS VPN Gateway limits authenticated client sessions to initial session source IP. + +If the TLS VPN Gateway does not limit authenticated client sessions to initial session source IP, this is a finding.SRG-NET-000230-VPN-002436<GroupDescription></GroupDescription>SRG-NET-000230-VPN-002436The VPN Gateway must use Always On VPN connections for remote computing.<VulnDiscussion>Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gateway is lost, hybrid-working users will simply be disconnected from the internet until the issue is solved. + +"Always On" is a term that describes a VPN connection that is secure and always on after the initial connection is established. An Always On VPN deployment establishes a VPN connection with the client without the need for user interaction (e.g., user credentials). The remote client must not be able to access the internet without first establishing a VPN session with a DOD site. + +Note that device compliance checks are still required prior to connecting to DOD resources. Although out of scope for this requirement, the connection process must ensure remote devices meet security standards before accessing DOD resources. Devices that fail to meet compliance requirements can be denied access, reducing the risk of compromised endpoints.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920CCI-001184Configure the VPN Gateway to enable Always On VPN connections for all remote users. The remote client must not be able to access the internet without first establishing a VPN session with a DOD site.Verify that the VPN Gateway uses an Always On VPN connection for remote computing. + +If the VPN Gateway does not use an Always On VPN connection for remote computing, this is a finding. + \ No newline at end of file diff --git a/benchmarks/DISA/U_Web_Server_V3R3_Manual-xccdf.xml b/benchmarks/DISA/U_Web_Server_V3R3_Manual-xccdf.xml new file mode 100644 index 000000000..c49dd26d2 --- /dev/null +++ b/benchmarks/DISA/U_Web_Server_V3R3_Manual-xccdf.xml @@ -0,0 +1,562 @@ +acceptedWeb Server Security Requirements GuideThis Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 08 Apr 20243.4.1.229161.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000001<GroupDescription></GroupDescription>SRG-APP-000001-WSR-000001The web server must limit the number of allowed simultaneous session requests.<VulnDiscussion>Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. + +Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-53018V-40791CCI-000054Configure the web server to limit the number of concurrent sessions.Review the web server documentation and configuration to determine if the number of simultaneous sessions is limited. + +If the parameter is not configured or is unlimited, this is a finding.SRG-APP-000001<GroupDescription></GroupDescription>SRG-APP-000001-WSR-000002The web server must perform server-side session management.<VulnDiscussion>Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this data can occur on the client system or on the server. + +When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is stored in either a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials. + +When the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-53023V-40792CCI-000054Configure the web server to perform server-side session management.Review the web server documentation and configuration to determine if server-side session management is configured. + +If it is not configured, this is a finding.SRG-APP-000014<GroupDescription></GroupDescription>SRG-APP-000014-WSR-000006The web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.<VulnDiscussion>The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. + +Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-53037V-40800CCI-000068Configure the web server to use encryption strength equal to the categorization of data hosted when remote connections are provided.Review the web server documentation and configuration to determine the communication methods that are being used. + +Verify the encryption being used is in accordance with the categorization of data being hosted when remote connections are provided. + +If it is not, then this is a finding.SRG-APP-000015<GroupDescription></GroupDescription>SRG-APP-000015-WSR-000014The web server must use cryptography to protect the integrity of remote sessions.<VulnDiscussion>Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-53068V-40819CCI-001453Configure the web server to utilize encryption during remote access sessions.Review the web server documentation and configuration to make certain that the web server is configured to use cryptography to protect the integrity of remote access sessions. + +If the web server is not configured to use cryptography to protect the integrity of remote access sessions, this is a finding.SRG-APP-000016<GroupDescription></GroupDescription>SRG-APP-000016-WSR-000005The web server must generate information to be used by external applications or entities to monitor and control remote access.<VulnDiscussion>Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. + +By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. + +Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-53035V-40799CCI-000067Configure the web server to provide remote connection information to external monitoring and access control applications.Review the web server documentation and configuration to determine if the web server is configured to generate information for external applications monitoring remote access. + +If a mechanism is not in place providing information to an external application used to monitor and control access, this is a finding.SRG-APP-000033<GroupDescription></GroupDescription>SRG-APP-000033-WSR-000169The web server must enforce approved authorizations for logical access to hosted applications and resources in accordance with applicable access control policies.<VulnDiscussion>To control access to sensitive information and hosted applications by entities that have been issued certificates by DoD-approved PKIs, the web server must be properly configured to incorporate a means of authorization that does not simply rely on the possession of a valid certificate for access. Access decisions must include a verification that the authenticated entity is permitted to access the information or application. Authorization decisions must leverage a variety of methods, such as mapping the validated PKI certificate to an account with an associated set of permissions on the system. If the web server relied only on the possession of the certificate and did not map to system roles and privileges, each user would have the same abilities and roles to make changes to the production system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70199V-55945CCI-000213Configure the web server to validate the authenticated entity's authorization to access requested content prior to granting access.The web server must be configured to perform an authorization check to verify that the authenticated entity should be granted access to the requested content. + +If the web server does not verify that the authenticated entity is authorized to access the requested content prior to granting access, this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>SRG-APP-000089-WSR-000047The web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.<VulnDiscussion>Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. + +The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54177V-41600CCI-000169Configure the web server to generate log records for system startup and shutdown, system access, and system authentication events.Review the web server documentation and the deployed system configuration to determine if, at a minimum, system startup and shutdown, system access, and system authentication events are logged. + +If the logs do not include the minimum logable events, this is a finding.SRG-APP-000092<GroupDescription></GroupDescription>SRG-APP-000092-WSR-000055The web server must initiate session logging upon start up.<VulnDiscussion>An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To assure all logable events are captured, the web server must begin logging once the first web server process is initiated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54188V-41611CCI-001464Configure the web server to capture logable events upon startup.Review the web server documentation and deployed configuration to determine if the web server captures log data as soon as the web server is started. + +If the web server does not capture logable events upon startup, this is a finding.SRG-APP-000095<GroupDescription></GroupDescription>SRG-APP-000095-WSR-000056The web server must produce log records containing sufficient information to establish what type of events occurred.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. + +For web servers, events logging includes, but is not limited to, the detection of the following: +• XSS attacks (detect in server, mproxy, and WAF types logs). +• Cross Site Request Forgery attacks. +• Web Cache Poisoning. +• Instances of Session Hijacking. +• Instances of Server Side Request Forgery. + +Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. + +Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54189V-41612CCI-000130Configure the web server to record sufficient information to establish what type of events occurred.Review the web server documentation and deployed configuration to determine if the web server contains sufficient information to establish what type of event occurred. + +Request a user access the hosted applications, and verify sufficient information is recorded. + +If sufficient information is not logged, this is a finding.SRG-APP-000096<GroupDescription></GroupDescription>SRG-APP-000096-WSR-000057The web server must produce log records containing sufficient information to establish when (date and time) events occurred.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. + +Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. + +Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54190V-41613CCI-000131Configure the web server to log date and time with the event.Review the web server documentation and deployment configuration to determine if the web server is configured to generate a date and time for each logged event. + +Request a user access the hosted application and generate logable events, and then review the logs to determine if the date and time are included in the log event data. + +If the date and time are not included, this is a finding.SRG-APP-000097<GroupDescription></GroupDescription>SRG-APP-000097-WSR-000058The web server must produce log records containing sufficient information to establish where within the web server the events occurred.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. + +Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. + +Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54191V-41614CCI-000132Configure the web server to generate enough information to determine in what process within the web server the log event occurred.Review the web server documentation and deployment configuration to determine if the web server is configured to generate sufficient information to resolve in which process within the web server the log event occurred. + +Request a user access the hosted application and generate logable events, and then review the logs to determine if the process of the event within the web server can be established. + +If it cannot be determined where the event occurred, this is a finding.SRG-APP-000098<GroupDescription></GroupDescription>SRG-APP-000098-WSR-000059The web server must produce log records containing sufficient information to establish the source of events.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. + +Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. + +Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54192V-41615CCI-000133Configure the web server to generate the source of each logable event.Review the web server documentation and deployment configuration to determine if the web server is configured to generate sufficient information to resolve the source, e.g. source IP, of the log event. + +Request a user access the hosted application and generate logable events, and then review the logs to determine if the source of the event can be established. + +If the source of the event cannot be determined, this is a finding.SRG-APP-000098<GroupDescription></GroupDescription>SRG-APP-000098-WSR-000060A web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. + +Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. + +A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54193V-41616CCI-000133Configure the web server to generate the client source, not the load balancer or proxy server, of each logable event.Review the deployment configuration to determine if the web server is sitting behind a proxy server. If the web server is not sitting behind a proxy server, this finding is NA. + +If the web server is behind a proxy server, review the documentation and deployment configuration to determine if the web server is configured to generate sufficient information to resolve the source, e.g. source IP, of the logged event and not the proxy server. + +Request a user access the hosted application through the proxy server and generate logable events, and then review the logs to determine if the source of the event can be established. + +If the source of the event cannot be determined, this is a finding.SRG-APP-000099<GroupDescription></GroupDescription>SRG-APP-000099-WSR-000061The web server must produce log records that contain sufficient information to establish the outcome (success or failure) of events.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. + +Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. + +Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54194V-41617CCI-000134Configure the web server to generate the outcome, success or failure, as part of each logable event.Review the web server documentation and deployment configuration to determine if the web server is configured to generate the outcome (success or failure) of the event. + +Request a user access the hosted application and generate logable events, and then review the logs to determine if the outcome of the event can be established. + +If the outcome of the event cannot be determined, this is a finding.SRG-APP-000100<GroupDescription></GroupDescription>SRG-APP-000100-WSR-000064The web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. + +Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. + +Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54197V-41620CCI-001487Configure the web server to include the user/subject identity or process as part of each log record.Review the web server documentation and deployment configuration to determine if the web server can generate log data containing the user/subject identity. + +Request a user access the hosted application and generate logable events, and verify the events contain the user/subject or process identity. + +If the identity is not part of the log record, this is a finding.SRG-APP-000108<GroupDescription></GroupDescription>SRG-APP-000108-WSR-000166The web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.<VulnDiscussion>Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily administrative duties on the hosted system or within the hosted applications. + +If the logging system begins to fail, events will not be recorded. Organizations shall define logging failure events, at which time the application or the logging mechanism the application utilizes will provide a warning to the ISSO and SA at a minimum.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70227V-55973CCI-000139Configure the web server to provide an alert to the ISSO and SA when log processing failures occur. + +If the web server cannot generate alerts, utilize an external logging system that meets this criterion.Review the web server documentation and deployment configuration settings to determine if the web server logging system provides an alert to the ISSO and the SA at a minimum when a processing failure occurs. + +If alerts are not sent or the web server is not configured to use a dedicated logging tool that meets this requirement, this is a finding.SRG-APP-000116<GroupDescription></GroupDescription>SRG-APP-000116-WSR-000066The web server must use the internal system clock to generate time stamps for log records.<VulnDiscussion>Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on the web server is critical when conducting forensic analysis and investigating system events. + +If the internal clock is not used, the web server may not be able to provide time stamps for log messages. The web server can use the capability of an operating system or purpose-built module for this purpose. + +Time stamps generated by the web server shall include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54245V-41668CCI-000159Configure the web server to use internal system clocks to generate date and time stamps for log records.Review the web server documentation and deployment configuration to determine if the internal system clock is used for date and time stamps. If this is not feasible, an alternative workaround is to take an action that generates an entry in the log and then immediately query the operating system for the current time. A reasonable match between the two times will suffice as evidence that the system is using the internal clock for date and time stamps. + +If the web server does not use the internal system clock to generate time stamps, this is a finding.SRG-APP-000118<GroupDescription></GroupDescription>SRG-APP-000118-WSR-000068Web server log files must only be accessible by privileged users.<VulnDiscussion>Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. + +The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54247V-41670CCI-000162Configure the web server log files so unauthorized access of log information is not possible.Review the web server documentation and deployed configuration settings to determine if the web server logging features protect log information from unauthorized access. + +Review file system settings to verify the log files have secure file permissions. + +If the web server log files are not protected from unauthorized access, this is a finding.SRG-APP-000119<GroupDescription></GroupDescription>SRG-APP-000119-WSR-000069The log information from the web server must be protected from unauthorized modification.<VulnDiscussion>Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. + +The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54248V-41671CCI-000163Configure the web server log files so unauthorized modification of log information is not possible.Review the web server documentation and deployed configuration settings to determine if the web server logging features protect log information from unauthorized modification. + +Review file system settings to verify the log files have secure file permissions. + +If the web server log files are not protected from unauthorized modification, this is a finding.SRG-APP-000120<GroupDescription></GroupDescription>SRG-APP-000120-WSR-000070The log information from the web server must be protected from unauthorized deletion.<VulnDiscussion>Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. + +The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54249V-41672CCI-000164Configure the web server log files so unauthorized deletion of log information is not possible.Review the web server documentation and deployed configuration settings to determine if the web server logging features protect log information from unauthorized deletion. + +Review file system settings to verify the log files have secure file permissions. + +If the web server log files are not protected from unauthorized deletion, this is a finding.SRG-APP-000125<GroupDescription></GroupDescription>SRG-APP-000125-WSR-000071The log data and records from the web server must be backed up onto a different system or media.<VulnDiscussion>Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54251V-41674CCI-001348Configure the web server logs to be backed up onto a different system or media other than the system being logged.Review the web server documentation and deployed configuration to determine if the web server log records are backed up onto an unrelated system or media than the system being logged. + +If the web server logs are not backed up onto a different system or media than the system being logged, this is a finding.SRG-APP-000131<GroupDescription></GroupDescription>SRG-APP-000131-WSR-000051All web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.<VulnDiscussion>Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. + +The web server or hosting system must have a mechanism to verify that files, before installation, are valid. + +Examples of validation methods are sha1 and md5 hashes and checksums.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70237V-55983CCI-001749Configure the web server to verify object integrity before becoming part of the production web server or utilize an external tool designed to meet this requirement.Review the web server documentation and deployment configuration to determine if the web server validates files before the files are implemented into the running configuration. + +If the web server does not meet this requirement and an external facility is not available for use, this is a finding.SRG-APP-000131<GroupDescription></GroupDescription>SRG-APP-000131-WSR-000073Expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.<VulnDiscussion>In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on a functional production website entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable. + +The web server must enforce, internally or through an external utility, the signing of modules before they are implemented into a production environment. By signing modules, the author guarantees that the module has been reviewed and tested before production implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54261V-41684CCI-001749Configure the web server to enforce, internally or through an external utility, the review, testing and signing of modules before implementation into the production environment.Review the web server documentation and configuration to determine if web server modules are fully tested before implementation in the production environment. + +Review the web server for modules identified as test, debug, or backup and that cannot be reached through the hosted application. + +Review the web server to see if the web server or an external utility is in use to enforce the signing of modules before they are put into a production environment. + +If development and testing is taking place on the production web server or modules are put into production without being signed, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000015The web server must not perform user management for hosted applications.<VulnDiscussion>User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logins, and management of temporary and emergency accounts; and all of this must be done enterprise-wide. + +The web server contains a minimal user management function, but the web server user management function does not offer enterprise-wide user management, and user management is not the primary function of the web server. User management for the hosted applications should be done through a facility that is built for enterprise-wide user management, like LDAP and Active Directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70243V-55989CCI-000381Configure the web server to disable user management functionality.Review the web server documentation and configuration to determine if the web server is being used as a user management application. + +If the web server is being used to perform user management for the hosted applications, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000075The web server must only contain services and functions necessary for operation.<VulnDiscussion>A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. + +The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54270V-41693CCI-000381Uninstall or deactivate features, services, and processes not needed by the web server for operation.Review the web server documentation and deployed configuration to determine if web server features, services, and processes are installed that are not needed for hosted application deployment. + +If excessive features, services, and processes are installed, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000076The web server must not be a proxy server.<VulnDiscussion>A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54271V-41694CCI-000381Uninstall any proxy services, modules, and libraries that are used by the web server to act as a proxy server. + +Verify all configuration changes are made to assure the web server is no longer acting as a proxy server in any manner.Review the web server documentation and deployed configuration to determine if the web server is also a proxy server. + +If the web server is also acting as a proxy server, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000077The web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.<VulnDiscussion>Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). + +Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54272V-41695CCI-000381Use the web server uninstall facility or manually remove any documentation, sample code, example applications, and tutorials.Review the web server documentation and deployment configuration to determine if the web server contains documentation, sample code, example applications, or tutorials. + +Verify the web server install process also offers an option to exclude these elements from installation and provides an uninstall option for their removal. + +If web server documentation, sample code, example applications, or tutorials are installed or the web server install process does not offer an option to exclude these elements from installation, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000078Web server accounts not utilized by installed features (i.e., tools, utilities, specific services, etc.) must not be created and must be deleted when the web server feature is uninstalled.<VulnDiscussion>When accounts used for web server features such as documentation, sample code, example applications, tutorials, utilities, and services are created even though the feature is not installed, they become an exploitable threat to a web server. + +These accounts become inactive, are not monitored through regular use, and passwords for the accounts are not created or updated. An attacker, through very little effort, can use these accounts to gain access to the web server and begin investigating ways to elevate the account privileges. + +The accounts used for web server features not installed must not be created and must be deleted when these features are uninstalled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54273V-41696CCI-000381Use the web server uninstall facility or manually remove the user accounts not used by the installed web server features.Review the web server documentation to determine the user accounts created when particular features are installed. + +Verify the deployed configuration to determine which features are installed with the web server. + +If any accounts exist that are not used by the installed features, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000080The web server must provide install options to exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.<VulnDiscussion>Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. + +Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks. The web server installation process must provide options allowing the installer to choose which utility programs, services, and modules are to be installed or removed. By having a process for installation and removal, the web server is guaranteed to be in a more stable and secure state than if these services and programs were installed and removed manually.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54275V-41698CCI-000381Use the web server uninstall facility or manually remove any utility programs, services, or modules not needed by the web server for operation.Review the web server documentation and deployment configuration to determine which web server utilities, services, and modules are installed. Verify these options are essential to the operation of the web server. Also, confirm the web server install process offers an option to exclude these utilities, services, and modules from installation that are not needed for operation and that there is an uninstall option for their removal. + +If there are more utilities, services, or modules installed than are needed for the operation of the web server or the web server does not provide an install facility to customize installation, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000081The web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.<VulnDiscussion>Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. + +A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. + +A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54276V-41699CCI-000381Configure the web server to disable all MIME types that invoke OS shell programs.Review the web server documentation and deployment configuration to determine if the OS shell is accessible by any MIME types that are enabled. + +If a user of the web server can invoke OS shell programs, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000082The web server must allow the mappings to unused and vulnerable scripts to be removed.<VulnDiscussion>Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. + +To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54277V-41700CCI-000381Remove script mappings that are not needed for web server and hosted application operation.Review the web server documentation and deployment configuration to determine what script mappings are available. + +Review the scripts used by the web server and the hosted applications. + +If there are script mappings in use that are not used by the web server or hosted applications for operation, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000083The web server must have resource mappings set to disable the serving of certain file types.<VulnDiscussion>Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. + +By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. + +The web server must only allow hosted application file types to be served to a user and all other types must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54278V-41701CCI-000381Configure the web server to only serve file types to the user that are needed by the hosted applications. All other file types must be disabled.Review the web server documentation and deployment configuration to determine what types of files are being used for the hosted applications. + +If the web server is configured to allow other file types not associated with the hosted application, especially those associated with logs, configuration files, passwords, etc., this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000085The web server must have Web Distributed Authoring (WebDAV) disabled.<VulnDiscussion>A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors. + +WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54279V-41702CCI-000381Configure the web server to disable Web Distributed Authoring.Review the web server documentation and deployment configuration to determine if Web Distributed Authoring (WebDAV) is enabled. + +If WebDAV is enabled, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000086The web server must protect system resources and privileged operations from hosted applications.<VulnDiscussion>A web server may host one too many applications. Each application will need certain system resources and privileged operations to operate correctly. The web server must be configured to contain and control the applications and protect the system resources and privileged operations from those not needed by the application for operation. + +Limiting the application will confine the potential harm a compromised application could cause to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54280V-41703CCI-000381Configure the privileges given to hosted applications to the minimum required for application operation.Review the web server documentation and configuration to determine the access to server resources given to hosted applications. + +If hosted applications have access to more system resources than needed for operation, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>SRG-APP-000141-WSR-000087Users and scripts running on behalf of users must be contained to the document root or home directory tree of the web server.<VulnDiscussion>A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. + +The web server must also prohibit users from jumping outside the hosted application directory tree through access to the user's home directory, symbolic links or shortcuts, or through search paths for missing files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54281V-41704CCI-000381Configure the web server to contain users and scripts to each hosted application's domain.Review the web server documentation and configuration to determine where the document root or home directory for each application hosted by the web server is located. + +Verify that users of the web server applications, and any scripts running on the user's behalf, are contained to each application's domain. + +If users of the web server applications, and any scripts running on the user's behalf, are not contained, this is a finding.SRG-APP-000142<GroupDescription></GroupDescription>SRG-APP-000142-WSR-000089The web server must be configured to use a specified IP address and port.<VulnDiscussion>The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. + +Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54283V-41706CCI-000382Configure the web server to only listen on a specified IP address and port.Review the web server documentation and deployment configuration to determine whether the web server is configured to listen on a specified IP address and port. + +Request a client user try to access the web server on any other available IP addresses on the hosting hardware. + +If an IP address is not configured on the web server or a client can reach the web server on other IP addresses assigned to the hosting hardware, this is a finding.SRG-APP-000172<GroupDescription></GroupDescription>SRG-APP-000172-WSR-000104The web server must encrypt passwords during transmission.<VulnDiscussion>Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. + +Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54315V-41738CCI-000197Configure the web server to encrypt the transmission passwords.Review the web server documentation and deployed configuration to determine whether passwords are being passed to or from the web server. + +If the transmission of passwords is not encrypted, this is a finding.SRG-APP-000175<GroupDescription></GroupDescription>SRG-APP-000175-WSR-000095The web server must perform RFC 5280-compliant certification path validation.<VulnDiscussion>A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54307V-41730CCI-000185Configure the web server to validate certificates in accordance with RFC 5280.Review the web server documentation and deployed configuration to determine whether the web server provides PKI functionality that validates certification paths in accordance with RFC 5280. If PKI is not being used, this is NA. + +If the web server is using PKI, but it does not perform this requirement, this is a finding.SRG-APP-000176<GroupDescription></GroupDescription>SRG-APP-000176-WSR-000096Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key.<VulnDiscussion>The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. + +By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54308V-41731CCI-000186Configure the web server to ensure only authenticated and authorized users can access the web server's private key.If the web server does not have a private key, this is N/A. + +Review the web server documentation and deployed configuration to determine whether only authenticated system administrators and the designated PKI Sponsor for the web server can access the web server private key. + +If the private key is accessible by unauthenticated or unauthorized users, this is a finding.SRG-APP-000179<GroupDescription></GroupDescription>SRG-APP-000179-WSR-000110The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.<VulnDiscussion>Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. + +FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. + +The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54322V-41745CCI-000803Configure the web server to utilize FIPS 140-2 approved encryption modules when the web server is storing data.Review web server documentation and deployed configuration to determine whether the encryption modules utilized for storage of data are FIPS 140-2 compliant. + +Reference the following NIST site to identify validated encryption modules: + +http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm + +If the encryption modules used for storage of data are not FIPS 140-2 validated, this is a finding.SRG-APP-000179<GroupDescription></GroupDescription>SRG-APP-000179-WSR-000111The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.<VulnDiscussion>Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. + +FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. + +The web server must provide FIPS-compliant encryption modules when authenticating users and processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54323V-41746CCI-000803Configure the web server to utilize FIPS 140-2 approved encryption modules when authenticating users and processes.Review web server documentation and deployed configuration to determine whether the encryption modules utilized for authentication are FIPS 140-2 compliant. Reference the following NIST site to identify validated encryption modules: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm + +If the encryption modules used for authentication are not FIPS 140-2 validated, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>SRG-APP-000206-WSR-000128A web server utilizing mobile code must meet DoD-defined mobile code requirements.<VulnDiscussion>Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more appealing to the user, is easier to analyze, and navigation through the hosted application and data is much less complicated. + +Some mobile code technologies in use in today's applications are: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. The DoD has created policies that define the usage of mobile code on DoD systems. The usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. + +The web server may host applications that contain mobile code and therefore, must meet the DoD-defined requirements regarding the deployment and/or use of mobile code. This includes digitally signing applets in order to provide a means for the client to establish application authenticity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70273V-56019CCI-001166Configure the web server to follow the DoD policies on mobile code.Review the web server documentation and deployed configuration to determine whether mobile code used by hosted applications follows the DoD policies on the acquisition, development, and/or use of mobile code. + +If the web server is not configured to follow the DoD policies on mobile code, this is a finding.SRG-APP-000211<GroupDescription></GroupDescription>SRG-APP-000211-WSR-000030Web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.<VulnDiscussion>As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70249V-55995CCI-001082Limit the functions, directories, and files that are accessible by each account and role to administrative accounts and remove or modify non-privileged account access.Review the web server documentation and configuration to determine what web server accounts are available on the hosting server. + +If non-privileged web server accounts are available with access to functions, directories, or files not needed for the role of the account, this is a finding.SRG-APP-000211<GroupDescription></GroupDescription>SRG-APP-000211-WSR-000031Anonymous user access to the web server application directories must be prohibited.<VulnDiscussion>In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. + +Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70247V-55993CCI-001082Configure the web server to not allow anonymous users to change the web server or any hosted applications.Review the web server documentation and configuration to determine if anonymous users can make changes to the web server or any applications hosted by the web server. + +If anonymous users can make changes, this is a finding.SRG-APP-000211<GroupDescription></GroupDescription>SRG-APP-000211-WSR-000129The web server must separate the hosted applications from hosted web server management functionality.<VulnDiscussion>The separation of user functionality from web server management can be accomplished by moving management functions to a separate IP address or port. To further separate the management functions, separate authentication methods and certificates should be used. + +By moving the management functionality, the possibility of accidental discovery of the management functions by non-privileged users during hosted application use is minimized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54371V-41794CCI-001082Configure the web server to separate the hosted applications from web server management functionality.Review the web server documentation and deployed configuration to determine whether hosted application functionality is separated from web server management functions. + +If the functions are not separated, this is a finding.SRG-APP-000220<GroupDescription></GroupDescription>SRG-APP-000220-WSR-000201The web server must invalidate session identifiers upon hosted application user logout or other session termination.<VulnDiscussion>Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. + +Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the web server must terminate the user session to minimize the potential for an attacker to hijack that particular user session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70275V-56021CCI-001185Configure the web server to invalidate session identifiers when a session is terminated.Review the web server documentation and deployed configuration to verify that the web server is configured to invalidate session identifiers when a session is terminated. + +If the web server does not invalidate session identifiers when a session is terminated, this is a finding.SRG-APP-000223<GroupDescription></GroupDescription>SRG-APP-000223-WSR-000011Cookies exchanged between the web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating web server and hosted application.<VulnDiscussion>Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connection between the user and the hosted application since HTTP/HTTPS is a stateless protocol. + +When the cookie parameters are not set properly (i.e., domain and path parameters), cookies can be shared within hosted applications residing on the same web server or to applications hosted on different web servers residing on the same domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70279V-56025CCI-001664Configure the web server to set properties within cookies to disallow the cookie to be accessed by other web servers and applications.Review the web server documentation and configuration to determine if cookies between the web server and client are accessible by applications or web servers other than the originating pair. + +If the cookie information is accessible outside the originating pair, this is a finding.SRG-APP-000223<GroupDescription></GroupDescription>SRG-APP-000223-WSR-000145The web server must accept only system-generated session identifiers.<VulnDiscussion>Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a session identifier (ID) for each client session when the session is initiated. The session ID allows the web server to track a user session and, in many cases, the user, if the user previously logged into a hosted application. + +When a web server accepts session identifiers that are not generated by the web server, the web server creates an environment where session hijacking, such as session fixation, could be used to access hosted applications through session IDs that have already been authenticated. Forcing the web server to only accept web server-generated session IDs and to create new session IDs once a user is authenticated will limit session hijacking.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54395V-41818CCI-001664Configure the web server to only accept session IDs that are created by the web server.Review the web server documentation and deployed configuration to determine whether the web server accepts session IDs that are not system-generated. + +If the web server does accept non-system-generated session IDs, this is a finding.SRG-APP-000224<GroupDescription></GroupDescription>SRG-APP-000224-WSR-000135The web server must generate a unique session identifier for each session using a FIPS 140-2 approved random number generator.<VulnDiscussion>Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a session identifier (ID) for each client session when the session is initiated. The session ID allows the web server to track a user session and, in many cases, the user, if the user previously logged into a hosted application. + +Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of generated identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, the attacker will have more difficulty in hijacking the session or otherwise manipulating valid sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70277V-56023CCI-001188Configure the web server to generate unique session identifiers using a FIPS 140-2 random number generator.Review the web server documentation and deployed configuration to verify that the web server is configured to generate unique session identifiers with a FIPS 140-2 approved random number generator. + +Request two users access the web server and view the session identifier generated for each user to verify that the session IDs are not sequential. + +If the web server is not configured to generate unique session identifiers or the random number generator is not FIPS 140-2 approved, this is a finding.SRG-APP-000224<GroupDescription></GroupDescription>SRG-APP-000224-WSR-000136The web server must generate unique session identifiers that cannot be reliably reproduced.<VulnDiscussion>Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a session identifier (ID) for each client session when the session is initiated. The session ID allows the web server to track a user session and, in many cases, the user, if the user previously logged into a hosted application. + +By being able to guess session IDs, an attacker can easily perform a man-in-the-middle attack. To truly generate random session identifiers that cannot be reproduced, the web server session ID generator, when used twice with the same input criteria, must generate an unrelated random ID. + +The session ID generator also needs to be a FIPS 140-2 approved generator.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54384V-41807CCI-001188Configure the web server to generate random and unique session identifiers that cannot be reliably reproduced.Review the web server documentation and deployed configuration to verify that random and unique session identifiers are generated. + +Access the web server ID generator function and generate two IDs using the same input. + +If the web server is not configured to generate random and unique session identifiers, or the ID generator generates the same ID for the same input, this is a finding.SRG-APP-000224<GroupDescription></GroupDescription>SRG-APP-000224-WSR-000137The web server must generate a session ID long enough that it cannot be guessed through brute force.<VulnDiscussion>Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. + +Generating session IDs that are at least 128 bits (16 bytes) in length will cause an attacker to take a large amount of time and resources to guess, reducing the likelihood of an attacker guessing a session ID.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54385V-41808CCI-001188Configure the web server to generate session identifiers that are at least 128 bits in length.Review the web server documentation and deployed configuration to see how long the generated session identifiers are. + +If the web server is not configured to generate session identifiers that are at least 128 bits (16 bytes) in length, this is a finding.SRG-APP-000224<GroupDescription></GroupDescription>SRG-APP-000224-WSR-000138The web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.<VulnDiscussion>Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user-authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. + +By generating session IDs that contain as much of the character set as possible, i.e., A-Z, a-z, and 0-9, the session ID becomes exponentially harder to guess.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54386V-41809CCI-001188Configure the web server to use at least A-Z, a-z, and 0-9 to generate session IDs.Review the web server documentation and deployed configuration to determine what characters are used in generating session IDs. + +If the web server is not configured to use at least A-Z, a-z, and 0-9 to generate session identifiers, this is a finding.SRG-APP-000224<GroupDescription></GroupDescription>SRG-APP-000224-WSR-000139The web server must generate unique session identifiers with definable entropy.<VulnDiscussion>Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. + +Random and unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Random session identifiers help to reduce predictability of said identifiers. The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques. For this purpose, a good PRNG (Pseudo Random Number Generator) must be used. + +Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. + +At least half of a session ID must be created using a definable source of entropy (PRNG).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54387V-41810CCI-001188Configure the web server to generate random session IDs with minimum entropy equal to half the session ID length.Review the web server documentation and deployed configuration to verify that the web server is generating random session IDs with entropy equal to at least half the session ID length. + +If the web server is not configured to generate random session IDs with the proper amount of entropy, this is a finding.SRG-APP-000225<GroupDescription></GroupDescription>SRG-APP-000225-WSR-000074The web server must augment re-creation to a stable and known baseline.<VulnDiscussion>Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the possibility for security risks. The web server must offer, and not hinder, a method that allows for the quick and easy reinstallation of a verified and patched baseline to guarantee the production web server is up-to-date and has not been modified to add functionality or expose security risks. + +When the web server does not offer a method to roll back to a clean baseline, external methods, such as a baseline snapshot or virtualizing the web server, can be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70283V-56029CCI-001190Configure the web server to augment and not hinder the reinstallation of a known and stable baseline.Review the web server documentation and deployed configuration to determine if the web server offers the capability to reinstall from a known state. + +If the web server does not offer this capability, determine if the web server, in any manner, prohibits the reinstallation of a known state. + +If the web server does prohibit the reinstallation to a known state, this is a finding.SRG-APP-000225<GroupDescription></GroupDescription>SRG-APP-000225-WSR-000140The web server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.<VulnDiscussion>Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for failure might be to shut down for any type of failure; but for an application that presents critical and timely information, a shutdown might not be the best state for all failures. + +Performing a proper risk analysis of the hosted applications and configuring the web server according to what actions to take for each failure condition will provide a known fail safe state for the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54388V-41811CCI-001190Configure the web server to fail to the states of operation during system initialization, shutdown, or abort failures found in the risk analysis.Review the web server documentation, deployed configuration, and risk analysis documentation to determine whether the web server will fail to known states for system initialization, shutdown, or abort failures. + +If the web server will not fail to known state, this is a finding.SRG-APP-000225<GroupDescription></GroupDescription>SRG-APP-000225-WSR-000141The web server must provide a clustering capability.<VulnDiscussion>The web server may host applications that display information that cannot be disrupted, such as information that is time-critical or life-threatening. In these cases, a web server that shuts down or ceases to be accessible when there is a failure is not acceptable. In these types of cases, clustering of web servers is used. + +Clustering of multiple web servers is a common approach to providing fail-safe application availability. To assure application availability, the web server must provide clustering or some form of failover functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54389V-41812CCI-001190Configure the web server to provide application failover, or participate in a web cluster that provides failover for high-availability web servers.Review the web server documentation, deployed configuration, and risk analysis documentation to verify that the web server is configured to provide clustering functionality, if the web server is a high-availability web server. + +If the web server is not a high-availability web server, this finding is NA. + +If the web server is not configured to provide clustering or some form of failover functionality and the web server is a high-availability server, this is a finding.SRG-APP-000231<GroupDescription></GroupDescription>SRG-APP-000231-WSR-000144Information at rest must be encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information.<VulnDiscussion>Data at rest is inactive data which is stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network. + +While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server. + +There are several pieces of data that the web server uses during operation. The web server must use an accepted encryption method, such as SHA1, to protect the confidentiality and integrity of the information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54392V-41815CCI-001199Use a DoD-accepted algorithm to encrypt data at rest to protect the information's confidentiality and integrity.Review the web server documentation and deployed configuration to locate where potential data at rest is stored. + +Verify that the data is encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information. + +If the data is not encrypted using a DoD-accepted algorithm, this is a finding.SRG-APP-000233<GroupDescription></GroupDescription>SRG-APP-000233-WSR-000146The web server document directory must be in a separate partition from the web servers system files.<VulnDiscussion>A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54398V-41821CCI-001084Configure the web server to place the document directories in a separate partition from the web server system files.Review the web server documentation and deployed configuration to determine where the document directory is located for each hosted application. + +If the document directory is not in a separate partition from the web server's system files, this is a finding.SRG-APP-000246<GroupDescription></GroupDescription>SRG-APP-000246-WSR-000149The web server must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.<VulnDiscussion>A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. + +An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54410V-41833CCI-001094Configure the web server to limit the ability of users to use the web server in a DoS attack.Review the web server documentation and deployed configuration to determine whether the web server has been configured to limit the ability of the web server to be used in a DoS attack. + +If not, this is a finding.SRG-APP-000251<GroupDescription></GroupDescription>SRG-APP-000251-WSR-000157The web server must limit the character set used for data entry.<VulnDiscussion>Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. + +The web server, by defining the character set available for data entry, can trap efforts to bypass security checks or to compromise an application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54429V-41852CCI-001310Configure the web server to only accept the character sets expected by the hosted applications.Review the web server documentation and deployed configuration to determine what the data set is for data entry. + +If the web server does not limit the data set used for data entry, this is a finding.SRG-APP-000266<GroupDescription></GroupDescription>SRG-APP-000266-WSR-000142The web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.<VulnDiscussion>The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. + +Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70289V-56035CCI-001312Place a default web page in every web document directory.Review the web server documentation and deployed configuration to locate all the web document directories. + +Verify that each web document directory contains a default hosted application web page that can be used by the web server in the event a web page cannot be found. + +If a document directory does not contain a default web page, this is a finding.SRG-APP-000266<GroupDescription></GroupDescription>SRG-APP-000266-WSR-000159Warning and error messages displayed to clients must be modified to minimize the identity of the web server, patches, loaded modules, and directory paths.<VulnDiscussion>Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. + +Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. + +This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54431V-41854CCI-001312Configure the web server to minimize the information provided to the client in warning and error messages.Review the web server documentation and deployed configuration to determine whether the web server offers different modes of operation that will minimize the identity of the web server, patches, loaded modules, and directory paths given to clients on error conditions. + +If the web server is not configured to minimize the information given to clients, this is a finding.SRG-APP-000266<GroupDescription></GroupDescription>SRG-APP-000266-WSR-000160Debugging and trace information used to diagnose the web server must be disabled.<VulnDiscussion>Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-54432V-41855CCI-001312Configure the web server to minimize the information given to clients on error conditions by disabling debugging and trace information.Review the web server documentation and deployed configuration to determine if debugging and trace information are enabled. + +If the web server is configured with debugging and trace information enabled, this is a finding.SRG-APP-000295<GroupDescription></GroupDescription>SRG-APP-000295-WSR-000012The web server must set an absolute session timeout value of eight hours or less.<VulnDiscussion>Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after an absolute period of time, the user is forced to re-authenticate guaranteeing the session is still in use. Enabling an absolute timeout for sessions closes sessions that are still active. Examples would be a runaway process accessing the web server or an attacker using a hijacked session to slowly probe the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70205V-55951CCI-002361Configure the web server to close sessions after eight hours or less.Verify that the web server is configured to close sessions after eight hours or less. + +If the web server is not configured to close sessions after eight hours or less, this is a finding.SRG-APP-000295<GroupDescription></GroupDescription>SRG-APP-000295-WSR-000134The web server must set an inactive timeout for sessions.<VulnDiscussion>Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. + +Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70203V-55949CCI-002361Configure the web server to close inactive sessions after 5 minutes for high-risk applications, 10 minutes for medium-risk applications, or 20 minutes for low-risk applications.Review the hosted applications, web server documentation and deployed configuration to verify that the web server will close an open session after a configurable time of inactivity. + +If the web server does not close sessions after a configurable time of inactivity or the amount of time is configured higher than 5 minutes for high-risk applications, 10 minutes for medium-risk applications, or 20 minutes for low-risk applications, this is a finding.SRG-APP-000315<GroupDescription></GroupDescription>SRG-APP-000315-WSR-000003Remote access to the web server must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.<VulnDiscussion>Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. + +A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. + +Examples of the web server enforcing a remote access policy are implementing IP filtering rules, using https instead of http for communication, implementing secure tokens, and validating users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70207V-55953CCI-002314Configure the web server to enforce the remote access policy or to work with an enterprise tool designed to enforce the policy.Review the web server product documentation and deployed configuration to determine if the server or an enterprise tool is enforcing the organization's requirements for remote connections. + +If the web server is not configured to enforce these requirements and an enterprise tool is not in place, this is a finding.SRG-APP-000315<GroupDescription></GroupDescription>SRG-APP-000315-WSR-000004The web server must restrict inbound connections from nonsecure zones.<VulnDiscussion>Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. + +A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70215V-55961CCI-002314Configure the web server to block access from DoD-defined nonsecure zones.Review the web server configuration to verify that the web server is restricting access from nonsecure zones. + +If the web server is not configured to restrict access from nonsecure zones, then this is a finding.SRG-APP-000316<GroupDescription></GroupDescription>SRG-APP-000316-WSR-000170The web server must provide the capability to immediately disconnect or disable remote access to the hosted applications.<VulnDiscussion>During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. + +The web server must provide a capability to disconnect users to a hosted application without compromising other hosted applications unless deemed necessary to stop the attack. Methods to disconnect or disable connections are to stop the application service for a specified hosted application, stop the web server, or block all connections through web server access list. + +The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70209V-55955CCI-002322Configure the web server to provide the capability to immediately disconnect or disable remote access to the hosted applications.Review the web server documentation and configuration to make certain that the web server is configured to allow for the immediate disconnection or disabling of remote access to hosted applications when necessary. + +If the web server is not capable of or cannot be configured to disconnect or disable remote access to the hosted applications when necessary, this is a finding.SRG-APP-000340<GroupDescription></GroupDescription>SRG-APP-000340-WSR-000029Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.<VulnDiscussion>By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70201V-55947CCI-002235Set up accounts and roles that can be used to perform web server security-relevant tasks and remove or modify non-privileged account access to security-relevant tasks.Review the web server documentation and configuration to determine if accounts used for administrative duties of the web server are separated from non-privileged accounts. + +If non-privileged accounts can access web server security-relevant information, this is a finding.SRG-APP-000356<GroupDescription></GroupDescription>SRG-APP-000356-WSR-000007A web server that is part of a web server cluster must route all remote management through a centrally managed access control point.<VulnDiscussion>A web server cluster is a group of independent web servers that are managed as a single system for higher availability, easier manageability, and greater scalability. Without having centralized control of the web server cluster, management of the cluster becomes difficult. It is critical that remote management of the cluster be done through a designated management system acting as a single access point.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70211V-55957CCI-001844Configure the web server to be centrally managed.Review the web server documentation and configuration to determine if the web server is part of a cluster. + +If the web server is not part of a cluster, then this is NA. + +If the web server is part of a cluster and is not centrally managed, then this is a finding.SRG-APP-000357<GroupDescription></GroupDescription>SRG-APP-000357-WSR-000150The web server must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.<VulnDiscussion>In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record storage capacity. + +The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70213V-55959CCI-001849Configure the web server to use a logging mechanism that is configured to allocate log record storage capacity in accordance with NIST SP 800-92 log record storage requirements.Review the web server documentation and deployment configuration to determine if the web server is using a logging mechanism to store log records. If a logging mechanism is in use, validate that the mechanism is configured to use record storage capacity in accordance with specifications within NIST SP 800-92 for log record storage requirements. + +If the web server is not using a logging mechanism, or if the mechanism has not been configured to allocate log record storage capacity in accordance with NIST SP 800-92, this is a finding.SRG-APP-000358<GroupDescription></GroupDescription>SRG-APP-000358-WSR-000063The web server must not impede the ability to write specified log record content to an audit log server.<VulnDiscussion>Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70223V-55969CCI-001851Configure the web server to directly write or transfer the logs to a remote audit log server.Review the web server documentation and deployment configuration to determine if the web server can write log data to, or if log data can be transferred to, a separate audit server. + +Request a user access the hosted application and generate logable events and verify the data is written to a separate audit server. + +If logs cannot be directly written or transferred on request or on a periodic schedule to an audit log server, this is a finding.SRG-APP-000358<GroupDescription></GroupDescription>SRG-APP-000358-WSR-000163The web server must be configurable to integrate with an organizations security infrastructure.<VulnDiscussion>A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. + +While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. + +Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70225V-55971CCI-001851Configure the web server to send logged events to the organization's security infrastructure tool that offers review and alert capabilities.Review the web server documentation and deployed configuration to determine whether the web server is logging security-relevant events. + +Determine whether there is a security tool in place that allows review and alert capabilities and whether the web server is sending events to this system. + +If the web server is not, this is a finding.SRG-APP-000359<GroupDescription></GroupDescription>SRG-APP-000359-WSR-000065The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. + +If log capacity were to be exceeded, then events subsequently occurring would not be recorded. Organizations shall define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., web server has exceeded 75% of log storage capacity allocated), at which time the web server or the logging mechanism the web server utilizes will provide a warning to the ISSO and SA at a minimum. + +This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70229V-55975CCI-001855Configure the web server to provide a warning to the ISSO and SA when allocated log record storage volume reaches 75% of maximum record storage capacity.Review the web server documentation and deployment configuration settings to determine if the web server log system provides a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum record storage capacity. + +If designated alerts are not sent or the web server is not configured to use a dedicated log tool that meets this requirement, this is a finding.SRG-APP-000374<GroupDescription></GroupDescription>SRG-APP-000374-WSR-000172The web server must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. + +Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70233V-55979CCI-001890Configure the web server to store log data time stamps in a format that is mapped to UTC or GMT time.Review the web server documentation and configuration to determine the time stamp format for log data. + +If the time stamp is not mapped to UTC or GMT time, this is a finding.SRG-APP-000375<GroupDescription></GroupDescription>SRG-APP-000375-WSR-000171The web server must record time stamps for log records to a minimum granularity of one second.<VulnDiscussion>Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. + +Time stamps generated by the web server include date and time and must be to a granularity of one second.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70231V-55977CCI-001889Configure the web server to record log events with a time stamp to a granularity of one second.Review the web server documentation and configuration to determine if log records are time stamped to a minimum granularity of one second. + +Have a user generate a logable event and review the log data to determine if the web server is configured correctly. + +If the log data does not contain a time stamp to a minimum granularity of one second, this is a finding.SRG-APP-000380<GroupDescription></GroupDescription>SRG-APP-000380-WSR-000072The web server application, libraries, and configuration files must only be accessible to privileged users.<VulnDiscussion>A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. + +To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70235V-55981CCI-001813Define roles and responsibilities to be used when managing the web server. + +Configure the hosting system to utilize specific roles that restrict access related to web server system and configuration changes.Review the web server documentation and configuration to determine if the web server provides unique account roles specifically for the purposes of segmenting the responsibilities for managing the web server. + +Log into the hosting server using a web server role with limited permissions (e.g., Auditor, Developer, etc.) and verify the account is not able to perform configuration changes that are not related to that role. + +If roles are not defined with limited permissions and restrictions, this is a finding.SRG-APP-000383<GroupDescription></GroupDescription>SRG-APP-000383-WSR-000175The web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.<VulnDiscussion>Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. + +The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70245V-55991CCI-001762Configure the web server to disable any ports or protocols that are not permitted, are nonsecure for a production web server or are not necessary for web server operation.Review the web server documentation and deployment configuration to determine which ports and protocols are enabled. + +Verify that the ports and protocols being used are permitted, necessary for the operation of the web server and the hosted applications and are secure for a production system. + +If any of the ports or protocols are not permitted, are nonsecure or are not necessary for web server operation, this is a finding.SRG-APP-000427<GroupDescription></GroupDescription>SRG-APP-000427-WSR-000186The web server must only accept client certificates (user and machine) issued by DOD PKI or DOD-approved PKI Certificate Authorities (CAs).<VulnDiscussion>Non-DOD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DOD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70281V-56027CCI-002470Configure the web server to only allow the use of DOD PKI-established CAs for the session establishment. Configure validation for both the user and machine certificates.If the web server does not provide PKI-based user authentication intermediary services, this is not applicable. + +Verify the web server only allows the use of DOD PKI-established CA for verification when establishing sessions. + +Verify both user and machine certificates are being validated when establishing sessions. + +If the web server does not validate user and machine certificates using DOD PKI-established CAs, this is a finding.SRG-APP-000429<GroupDescription></GroupDescription>SRG-APP-000429-WSR-000113The web server must encrypt user identifiers and passwords.<VulnDiscussion>When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. User identities and passwords stored on the hard drive of the hosting hardware must be encrypted to protect the data from easily being discovered and used by an unauthorized user to access the hosted applications. The cryptographic libraries and functionality used to store and retrieve the user identifiers and passwords must be part of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70285V-56031CCI-002476Configure the web server to encrypt the user identifiers and passwords when storing them on digital media.Review the web server documentation and deployed configuration to determine whether the web server is authorizing and managing users. + +If the web server is not authorizing and managing users, this is NA. + +If the web server is the user authenticator and manager, verify that stored user identifiers and passwords are being encrypted by the web server. If the user information is not being encrypted when stored, this is a finding.SRG-APP-000435<GroupDescription></GroupDescription>SRG-APP-000435-WSR-000147The web server must be protected from being stopped by a non-privileged user.<VulnDiscussion>An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. + +To prohibit an attacker from stopping the web server, the process ID (pid) of the web server and the utilities used to start/stop the web server must be protected from access by non-privileged users. By knowing the pid and having access to the web server utilities, a non-privileged user has a greater capability of stopping the server, whether intentionally or unintentionally.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70253V-55999CCI-002385Remove or modify non-privileged account access to the web server process ID and the utilities used for starting/stopping the web server.Review the web server documentation and deployed configuration to determine where the process ID is stored and which utilities are used to start/stop the web server. + +Determine whether the process ID and the utilities are protected from non-privileged users. + +If they are not protected, this is a finding.SRG-APP-000435<GroupDescription></GroupDescription>SRG-APP-000435-WSR-000148The web server must be tuned to handle the operational requirements of the hosted application.<VulnDiscussion>A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condition even with expected traffic from users. To avoid a DoS, the web server must be tuned to handle the expected traffic for the hosted applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70251V-55997CCI-002385Analyze the expected user traffic for the hosted applications. + +Tune the web server to avoid a DoS condition under normal user traffic to the hosted applications.Review the web server documentation and deployed configuration to determine what parameters are set to tune the web server. + +Review the hosted applications along with risk analysis documents to determine the expected user traffic. + +If the web server has not been tuned to avoid a DoS, this is a finding.SRG-APP-000439<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000151The web server must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.<VulnDiscussion>Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). + +Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. + +If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70255V-56001CCI-002418Configure the web server to encrypt the transmission of data between the web server and external devices.Review the web server documentation and deployed configuration to determine whether the transmission of data between the web server and external devices is encrypted. + +If the web server does not encrypt the transmission, this is a finding.SRG-APP-000439<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000152Web server session IDs must be sent to the client using SSL/TLS.<VulnDiscussion>The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70257V-56003CCI-002418Configure the web server to encrypt the session identifier for transmission to the client.Review the web server documentation and deployed configuration to determine whether the session identifier is being sent to the client encrypted. + +If the web server does not encrypt the session identifier, this is a finding.SRG-APP-000439<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000153Web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.<VulnDiscussion>A cookie is used when a web server needs to share data with the client's browser. The data is often used to remember the client when the client returns to the hosted application at a later date. A session cookie is a special type of cookie used to remember the client during the session. The cookie will contain the session identifier (ID) and may contain authentication data to the hosted application. To protect this data from easily being compromised, the cookie can be encrypted. + +When a cookie is sent encrypted via SSL/TLS, an attacker must spend a great deal of time and resources to decrypt the cookie. If, along with encryption, the cookie is compressed, the attacker can now use a combination of plaintext injection and inadvertent information leakage through data compression to reduce the time needed to decrypt the cookie. This attack is called Compression Ratio Info-leak Made Easy (CRIME). + +Cookies shared between the web server and the client when encrypted should not also be compressed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70259V-56005CCI-002418Configure the web server to send the cookie to the client via SSL/TLS without using cookie compression.Review the web server documentation and deployed configuration to determine whether cookies are being sent to the client using SSL/TLS. + +If the transmission is through a SSL/TLS connection, but the cookie is not being compressed, this finding is NA. + +If the web server is using SSL/TLS for cookie transmission and the cookie is also being compressed, this is a finding.SRG-APP-000439<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000154Cookies exchanged between the web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.<VulnDiscussion>A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70261V-56007CCI-002418Configure the web server to disallow client-side scripts the capability of reading cookie information.Review the web server documentation and deployed configuration to determine how to disable client-side scripts from reading cookies. + +If the web server is not configured to disallow client-side scripts from reading cookies, this is a finding.SRG-APP-000439<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000155Cookies exchanged between the web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.<VulnDiscussion>Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie Secure property can be set.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70263V-56009CCI-002418Configure the web server to encrypt cookies before transmission.Review the web server documentation and deployed configuration to verify that cookies are encrypted before transmission. + +If the web server is not configured to encrypt cookies, this is a finding.SRG-APP-000439<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000156A web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.<VulnDiscussion>Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. + +NIST SP 800-52 defines the approved TLS versions for government applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70265V-56011CCI-002418Configure the web server to use an approved TLS version according to NIST SP 800-52 and to disable all non-approved versions.Review the web server documentation and deployed configuration to determine which version of TLS is being used. + +If the TLS version is not an approved version according to NIST SP 800-52 or non-FIPS-approved algorithms are enabled, this is a finding.SRG-APP-000439<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000188The web server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.<VulnDiscussion>During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-75835V-61353CCI-002418Configure the web server to have export ciphers removed.Review the web server documentation and deployed configuration to determine if export ciphers are removed. + +If the web server does not have the export ciphers removed, this is a finding. +SRG-APP-000441<GroupDescription></GroupDescription>SRG-APP-000441-WSR-000181The web server must maintain the confidentiality and integrity of information during preparation for transmission.<VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. + +An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. + +Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70267V-56013CCI-002420Configure the web server to maintain the confidentiality and integrity of information during preparation for transmission.Review the web server documentation and deployed configuration to determine if the web server maintains the confidentiality and integrity of information during preparation before transmission. + +If the confidentiality and integrity are not maintained, this is a finding.SRG-APP-000442<GroupDescription></GroupDescription>SRG-APP-000442-WSR-000182The web server must maintain the confidentiality and integrity of information during reception.<VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. + +Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. + +The web server must utilize approved encryption when receiving transmitted data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70269V-56015CCI-002422Configure the web server to utilize a transmission method that maintains the confidentiality and integrity of information during reception.Review web server configuration to determine if the server is using a transmission method that maintains the confidentiality and integrity of information during reception. + +If a transmission method is not being used that maintains the confidentiality and integrity of the data during reception, this is a finding.SRG-APP-000456<GroupDescription></GroupDescription>SRG-APP-000456-WSR-000187The web server must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).<VulnDiscussion>Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. + +The web server will be configured to check for and install security-relevant software updates from an authoritative source within an identified time period from the availability of the update. By default, this time period will be every 24 hours.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70287V-56033CCI-002605Configure the web server to check for patches and updates from an authoritative source at least every 30 days.Review the web server documentation and configuration to determine if the web server checks for patches from an authoritative source at least every 30 days. + +If there is no timeframe or the timeframe is greater than 30 days, this is a finding.SRG-APP-000516<GroupDescription></GroupDescription>SRG-APP-000516-WSR-000079All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.<VulnDiscussion>During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user community. + +The first things an attacker will try when presented with a login screen are the default user identifiers with default passwords. Installed applications may also install accounts with no password, making the login even easier. Once the web server is installed, the passwords for any created accounts should be changed and documented. The new passwords must meet the requirements for all passwords, i.e., upper/lower characters, numbers, special characters, time until change, reuse policy, etc. + +Service accounts or system accounts that have no login capability do not need to have passwords set or changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70241V-55987CCI-000366Set passwords for non-service/system accounts containing no passwords and change the passwords for accounts which still have default passwords.Review the web server documentation and deployment configuration to determine what non-service/system accounts were installed by the web server installation process. + +Verify the passwords for these accounts have been set and/or changed from the default passwords. + +If these accounts still have no password or default passwords, this is a finding.SRG-APP-000516<GroupDescription></GroupDescription>SRG-APP-000516-WSR-000174The web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.<VulnDiscussion>Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the web server, including the parameters required to satisfy other security control requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70239V-55985CCI-000366Configure the web server to be configured according to DoD security configuration guidance.Review the web server documentation and deployed configuration to determine if web server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance. + +If the web server is not configured according to the guidance, this is a finding.SRG-APP-000416<GroupDescription></GroupDescription>SRG-APP-000416-WSR-000118The web server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.<VulnDiscussion>Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. + +Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. + +NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: + +"Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms." + +Although persons may have a security clearance, they may not have a "need-to-know" and are required to be separated from the information in question. The web server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need-to-know" or when encryption of compartmentalized data is required by data classification.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910SV-70271V-56017CCI-002450Configure the web server to utilize cryptography when protecting compartmentalized data.Review policy documents to identify data that is compartmentalized (i.e. classified, sensitive, need-to-know, etc.) and requires cryptographic protection. + +Review the web server documentation and deployed configuration to identify the encryption modules utilized to protect the compartmentalized data. + +If the encryption modules used to protect the compartmentalized data are not compliant with the data, this is a finding.SRG-APP-000219-WSR-000190<GroupDescription></GroupDescription>SRG-APP-000219-WSR-000190The web server must restrict a consistent inbound source IP for the entire management session.<VulnDiscussion>Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. + +Application communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one way) or mutual (two way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. + +This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services will require the use of TLS mutual authentication (two-way/bidirectional).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910CCI-001184Configure the web server to restrict the management session to a consistent inbound IP for the entire management session.Verify the web server limits authenticated client management sessions to initial session source IP. + +If the web server does not limit authenticated client management sessions to initial session source IP, this is a finding.SRG-APP-000219-WSR-000191<GroupDescription></GroupDescription>SRG-APP-000219-WSR-000191The web server must restrict a consistent inbound source IP for the entire user session.<VulnDiscussion>Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. + +Application communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one way) or mutual (two way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. + +This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services will require the use of TLS mutual authentication (two-way/bidirectional).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910CCI-001184Configure the web server to restrict the user session to a consistent inbound IP for the entire user session.Verify the web server limits authenticated user sessions to a consistent inbound IP for the entire user session + +If the web server does not limit authenticated user sessions to a consistent inbound IP for the entire user session, this is a finding.SRG-APP-000439-WSR-000192<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000192The web server must use HTTP/2, at a minimum. <VulnDiscussion>HTTP/2, like HTTPS, enhances security compared to HTTP/1.x by minimizing the risk of header-based attacks (e.g., header injection and manipulation). + +Websites that fully utilize HTTP/2 are inherently protected and defend against smuggling attacks. HTTP/2 provides the method for specifying the length of a request, which removes any potential for ambiguity that can be leveraged by an attacker. + +This is applicable to all web architectures such as load balancing/proxy use cases. +- The front-end and back-end servers should both be configured to use HTTP/2. +- HTTP/2 must be used for communications between web servers. +- Browser vendors have agreed to only support HTTP/2 only in HTTPS mode, thus TLS must be configured to meet this requirement. TLS configuration is out of scope for this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910CCI-002418Configure the web server to use HTTP/2, at a minimum. + +Note that browsers support HTTP/2 only in HTTPS mode. The tunneling of HTTP/1.x through HTTPS is not an approved configuration.Verify the web server uses HTTP/2. + +If the web server does not use HTTP/2 at a minimum, this is a finding.SRG-APP-000439-WSR-000193<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000193The web server must disable HTTP/1.x downgrading.<VulnDiscussion>HTTP/2 is backward compatible with HTTP/1.x, so it is possible to configure the architecture to implement a front-end server for HTTP/2 while communicating with one or more back-end servers that support only HTTP/1.x. Thus, the front end effectively has to translate or downgrade the requests it receives into the less secure protocol. HTTP downgrading negates the benefits of HTTP/2. + +If HTTP downgrading cannot be avoided, validate the rewritten/downgraded request against the HTTP/1.1 specification. For example, reject requests that contain newlines in the headers, colons in header names, and spaces in the request method.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910CCI-002418Configure the web server to disable HTTP/1.x downgrading. + +If HTTP downgrading is operationally necessary, validate the rewritten request against the HTTP/1.1 specification, i.e., reject requests that contain new lines in the headers, colons in header names, and spaces in the request method.If HTTP downgrading is operationally necessary, and the rewritten request is validated against HTTP/1.x specification (i.e., verify requests that contain new lines in the headers, colons in header names, and spaces in the request method are rejected), mark as a CAT III finding. + +Verify that HTTP/1.x downgrading is disabled. + +If the HTTP/1.x downgrading is enabled, this is a finding.SRG-APP-000251-WSR-000194<GroupDescription></GroupDescription>SRG-APP-000251-WSR-000194The web server must interpret and normalize ambiguous HTTP requests or terminate the TCP connection.<VulnDiscussion>Request smuggling attacks involve placing both the Content-Length header and the Transfer-Encoding header into a single HTTP/1 request and manipulating it so that web servers (i.e., back-end, front-end, load balancers) process the request differently. There are a number of variants of this type of attack with different names. However, all variants are addressed by configuring the front-end server to exclusively use HTTP/2 when communicating with other web servers. Specific instances of this vulnerability can be resolved by reconfiguring the front-end server to normalize ambiguous requests before routing them onward. However, if the request cannot be made unambiguous or normalized, configure both the front-end and back-end servers to reject the message and close the connection. + +It is important to not assume requests do not have a body. For all web servers, examine requests that report message body length as zero in the HTTP header and drop the request. + +For load balancing or reverse proxying implementation: +-The front-end web server must interpret and forward HTTP requests, such that the back-end server receives a consistent interpretation of the request, or terminate the TCP connection. +-The back-end web server must drop ambiguous requests that cannot be normalized and terminate the TCP connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910CCI-001310Configure the web server to interpret HTTP headers so they are normalized and unambiguous. The web server must validate requests that report message body as "zero" in the HTTP header. + +Configure the web server to drop ambiguous requests that cannot be normalized and terminate the TCP connection.Verify the web server normalizes ambiguous requests or terminates the TCP connection. + +If the web server does not drop ambiguous requests that cannot be normalized and terminate the TCP connection, this is a finding.SRG-APP-000251-WSR-000195<GroupDescription></GroupDescription>SRG-APP-000251-WSR-000195The web server must terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.<VulnDiscussion>The web server defines a set of exceptions for every HTTP status code. Each exception class has a status code according to RFC 2068: Codes with 100-300 are not really errors; 400s are client errors, and 500s are server errors. If not directly specified, headers will be added to the default response headers. + +In the event of an anomaly or exception during the processing of requests, it is safer to terminate the connection to prevent malformed requests from exploiting potential protocol vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910CCI-001310Configure web server to terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.Verify the web server terminates the connection if server-level exceptions are triggered when handling requests. + +If the web server does not terminate the connection if server-level exceptions are triggered when handling requests, this is a finding.SRG-APP-000439-WSR-000196<GroupDescription></GroupDescription>SRG-APP-000439-WSR-000196The web server must only use forward proxies that route HTTP/2 requests upstream.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +It is crucial that the web server and forward proxy agree about the boundaries between requests. Otherwise, an attacker may be able to send ambiguous and other smuggling attacks to the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Web ServerDISADPMS TargetWeb Server2910CCI-002418Configure the web server to only use forward proxies that route HTTP/2 requests upstream.If a forward proxy is not used, this is not applicable. + +Verify the web server only uses forward proxies that route HTTP/2 requests upstream. + +If the web server uses forward proxies that do not only route HTTP/2 requests, this is a finding. \ No newline at end of file diff --git a/stigs.json b/stigs.json index de05afede..151b5987c 100644 --- a/stigs.json +++ b/stigs.json @@ -3179,11 +3179,11 @@ }, { "id": "VPN", - "name": "Virtual Private Network SRG - Ver 2, Rel 5", - "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VPN_V2R5_SRG.zip", - "size": "1022.99 KB", - "version": "V2R5", - "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_VPN_SRG_V2R5_Manual-xccdf.xml" + "name": "Virtual Private Network SRG - Ver 2, Rel 6", + "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VPN_V2R6_SRG.zip", + "size": "1.04 MB", + "version": "V2R6", + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_VPN_SRG_V2R6_Manual-xccdf.xml" }, { "id": "VMware_Horizon_7-13_Agent_STIG", @@ -3273,11 +3273,11 @@ }, { "id": "Web_Server_SRG", - "name": "Web Server SRG - Ver 3, Rel 2", - "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Web_Server_V3R2_SRG.zip", - "size": "1.15 MB", - "version": "V3R2", - "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Web_Server_V3R2_Manual-xccdf.xml" + "name": "Web Server SRG - Ver 3, Rel 3", + "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Web_Server_V3R3_SRG.zip", + "size": "1.16 MB", + "version": "V3R3", + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Web_Server_V3R3_Manual-xccdf.xml" }, { "id": "Zebra_Android_11_COBO_STIG", @@ -4760,18 +4760,18 @@ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/scc-5.9_Windows_bundle.zip", "size": "94.37 MB" }, - { - "id": "603e01eb-2b1c-4c80-bc32-0eb30588935c", - "name": "z/OS ACF2 Products - Ver 6, Rel 59", - "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_ACF2_V6R59_Products.zip", - "size": "9.7 MB", - "version": "V6R59" - }, { "id": "520cc180-6fda-40c9-a627-3b4187366c89", "name": "z/OS RACF Products - Ver 6, Rel 59", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_RACF_V6R59_Products.zip", "size": "8.96 MB", "version": "V6R59" + }, + { + "id": "2198f621-ba44-4aec-9822-fff610e79a14", + "name": "z/OS SRR Scripts - Ver 6, Rel 59", + "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_V6R59_SRR.zip", + "size": "1.89 MB", + "version": "V6R59" } ] \ No newline at end of file