kriterion 0.0.1

data/standards/stig_iis6_site.json

@@ -0,0 +1,263 @@
+{
+  "name": "stig_iis6_site",
+  "date": "2015-06-01",
+  "description": "None",
+  "title": "IIS6 Site",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-13620",
+      "title": "A private web site must utilize certificates from a trusted DoD CA.",
+      "description": "The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13672",
+      "title": "The private web server must use an approved DoD certificate validation process.",
+      "description": "Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates.  This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13686",
+      "title": "Web Administrators must secure encrypted connections for Document Root directory uploads.",
+      "description": "Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.",
+      "severity": "high"
+    },
+    {
+      "id": "V-13688",
+      "title": "Log file data must contain required data elements.",
+      "description": "The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13689",
+      "title": "Access to the web site log files must be restricted.",
+      "description": "A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13694",
+      "title": "Public web servers must use TLS if authentication is required.",
+      "description": "Transport Layer Security (TLS) is optional for a public web server.  However, if authentication is being performed, then the use of the TLS protocol is required.\n\nWithout the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure.  Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network.  To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.  NIST SP 800-52 specifies the preferred configurations for government systems.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13699",
+      "title": "The IIS web site permissions \"Write\" or \"Script Source\" must not be selected.",
+      "description": "Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the web sites on the server.  It can override inheritance by configuring the individual site or site element.  These permissions control what users can access from the web site. If Read is selected, then source of the pages can be read, if Write is selected, then pages can be written to or updated. If the Script Source Access is checked, source code for scripts can be viewed. This option is not available if neither Read nor Write is selected.  Allowing users' access to the source of the web pages, may provide the user with more information than they are authorized to see. This is especially an issue for the source code for scripts on the web server.",
+      "severity": "high"
+    },
+    {
+      "id": "V-13702",
+      "title": "The Content Location header must not contain proprietary IP addresses.",
+      "description": "When using static HTML pages, a Content-Location header is added to the response.  By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather than the FQDN or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to sending the FQDN instead.\n\nThe value that needs to be set is the w3svc/UseHostName, and it needs to be set to True.\n\nThe other option to prevent this from occurring is to use Active Server Pages instead of static HTML pages and create a custom header that sends back a specific Content-Location.  For complete instructions on this issue, please refer to Microsoft Knowledge Base article Q218180.",
+      "severity": "low"
+    },
+    {
+      "id": "V-13703",
+      "title": "The web site must have a unique application pool.",
+      "description": "Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13704",
+      "title": "The Recycle Worker processes in minutes monitor must be set properly.",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13705",
+      "title": "The maximum number of requests an application pool can process must be set.",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13706",
+      "title": "The maximum virtual memory monitor must be enabled.",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13707",
+      "title": "The maximum used memory monitor must be enabled.",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13708",
+      "title": "The Shutdown worker processes Idle Timeout monitor must be enabled.",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13709",
+      "title": "The Limit the kernel request queue monitor must be enabled",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13710",
+      "title": "The Enable pinging monitor must be enabled.",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13711",
+      "title": "The Enable rapid-fail protection monitor must be enabled.",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13712",
+      "title": "The Enable rapid-fail time period monitor must be enabled.",
+      "description": "A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13713",
+      "title": "A unique non-privileged account must be used to run Worker Process Identities.",
+      "description": "The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each Application Pool better track issues occurring within each web site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.",
+      "severity": "high"
+    },
+    {
+      "id": "V-13723",
+      "title": "The MaxRequestEntityAllowed metabase value must be defined.",
+      "description": "IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool. \n\nThe MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2226",
+      "title": "Web content directories must not be anonymously shared.",
+      "description": "Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit the access and compromise the web content or cause web server performance problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2229",
+      "title": "Interactive scripts must have proper access controls.",
+      "description": "CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension.\n\nThe use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2230",
+      "title": "Backup interactive scripts must be removed from the web site.",
+      "description": "Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2240",
+      "title": "Web sites must limit the number of simultaneous requests.",
+      "description": "Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, which can facilitate a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2245",
+      "title": "Each readable web document directory must contain a default, home, index or equivalent file.",
+      "description": "The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2250",
+      "title": "Logs of web server access and errors must be established and maintained.",
+      "description": "A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2252",
+      "title": "Users other than Auditors group must not have greater than read access to log files.",
+      "description": "A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2254",
+      "title": "Only fully reviewed and tested web sites must exist on a production web server.",
+      "description": "In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files revealing business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security, which is totally avoidable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2258",
+      "title": "The web client account access to the content and scripts directories must be limited to read and execute.",
+      "description": "Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.",
+      "severity": "high"
+    },
+    {
+      "id": "V-2260",
+      "title": "A web site must not contain a robots.txt file.",
+      "description": "Search engines are constantly at work on the Internet.  Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content.  In turn, these search engines make the content they obtain and catalog available to any public web user. \n\nTo request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt.  This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site.  This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant.  If information on the web site needs to be protected from search engines and public view, other methods must be used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2262",
+      "title": "A private web server must utilize an approved TLS version.",
+      "description": "Transport Layer Security (TLS) encryption is a required security setting for a private web server.  Encryption of private information is essential to ensuring data confidentiality.  If private information is not encrypted, it can be intercepted and easily read by an unauthorized party.  A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.  NIST SP 800-52 specifies the preferred configurations for government systems.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2263",
+      "title": "A private web server must have a valid server certificate.",
+      "description": "This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2265",
+      "title": "Java software installed on the web server must be limited to class files and the JAVA virtual machine.",
+      "description": "From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2267",
+      "title": "Unused and vulnerable script mappings in IIS 6 must be removed.",
+      "description": "IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll.",
+      "severity": "high"
+    },
+    {
+      "id": "V-2268",
+      "title": "The IUSR_machinename account must not have read access to the .inc files or their equivalent.",
+      "description": "Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. The include files for many .asp script files are .inc files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named their include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivalent, SAs do not have this advantage. \n\nJava Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages.\n\nIn addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2270",
+      "title": "Anonymous FTP users must not have access to interactive scripts.",
+      "description": "The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories containing scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2272",
+      "title": "PERL scripts must use the TAINT option.",
+      "description": "PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation.\n\nConsequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3333",
+      "title": "The web document (home) directory must be on a separate partition from the web servers system files.",
+      "description": "Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3963",
+      "title": "Indexing Services must only index web content.",
+      "description": "The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6373",
+      "title": "The required DoD banner page must be displayed to authenticated users accessing a DoD private website.",
+      "description": "A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6531",
+      "title": "A private web sites authentication mechanism must use client certificates.",
+      "description": "A DoD private web site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web sites.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6755",
+      "title": "Directory browsing must be disabled.",
+      "description": "This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_iis_7.0_web_server.json

@@ -0,0 +1,155 @@
+{
+  "name": "stig_iis_7.0_web_server",
+  "date": "2017-12-21",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "IIS 7.0 WEB SERVER STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-13591",
+      "title": "Classified web servers will be afforded physical security commensurate with the classification of its content.",
+      "description": "When data of a classified nature is migrated to a web server, fundamental principles applicable to the safeguarding of classified material must be followed. A classified web server needs to be afforded physical security commensurate with the classification of its content to ensure the protection of the data it houses.",
+      "severity": "high"
+    },
+    {
+      "id": "V-13621",
+      "title": "All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.",
+      "description": "Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e., compiled code, scripts, web content, etc.). Delete all directories containing samples and any scripts used to execute the samples.",
+      "severity": "high"
+    },
+    {
+      "id": "V-13672",
+      "title": "The private web server must use an approved DoD certificate validation process.",
+      "description": "The Certificate Revocation List (CRL) is used for a number of reasons, for example, when an employee leaves, certificates expire, or if certificate keys become compromised and are reissued. Without the use of a certificate validation process, the server is vulnerable to accepting expired or revoked certificates. This could allow unauthorized individuals access to the web server. The CRL is a repository comprised of revoked certificate data, usually from many contributing CRL sources. \nSites using an Online Certificate Status Protocol (OCSP) rather than CRL download to validate certificates will have obtained and installed an OCSP validation application.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13700",
+      "title": "The File System Object component must be disabled.",
+      "description": "Some Component Object Model (COM) components are not required for most applications and should be removed if possible.  Most notably, consider disabling the File System Object component; however, this will also remove the Dictionary object. Be aware some programs may require this component (e.g., Commerce Server), so it is highly recommended this be tested completely before implementing on the production web server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2234",
+      "title": "Public web server resources must not be shared with private assets.",
+      "description": "It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. \n\nResources, such as, printers, files, and folders/directories must not be shared between public web servers and assets located within the internal network. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2235",
+      "title": "The service account ID used to run the website must have its password changed at least annually.",
+      "description": "Normally, a service account is established for the web service to run under rather than permitting it to run as system or root.  If the web service account requires a password, the password must be changed at least annually.  It is a fundamental tenet of security that passwords are not to be null and must not be set to never expire.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2236",
+      "title": "Installation of compilers on production web servers is prohibited.",
+      "description": "The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2242",
+      "title": "A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.",
+      "description": "To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems.  Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Once compromised, a public web server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2243",
+      "title": "A private web server must be located on a separate controlled access subnet.",
+      "description": "Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats, which can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separately controlled access subnet and must not be a part of the public DMZ that houses the public web servers. It also cannot be located inside the enclave as part of the local general population LAN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2246",
+      "title": "The web server must use a vendor-supported version of the web server software.",
+      "description": "Several vulnerabilities are associated with older versions of web server software. As hot fixes and patches are issued, these solutions are included in the next version of the server software.  Maintaining the web server at a current version makes the efforts of a malicious user more difficult.",
+      "severity": "high"
+    },
+    {
+      "id": "V-2247",
+      "title": "Only administrators are allowed access to the directory tree, the shell, or other operating system functions and utilities.",
+      "description": "As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. This is in addition to the anonymous web user account. The resources to which these accounts have access must also be closely monitored and controlled. Only the SA needs access to all the system’s capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. The anonymous web user account must not have access to system resources as that account could then control the server.",
+      "severity": "high"
+    },
+    {
+      "id": "V-2248",
+      "title": "Access to web administration tools must be restricted to the web manager and the web managers designees.",
+      "description": "The key web service administrative and configuration tools must only be accessible by the web server staff.  All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2251",
+      "title": "Programs and features not necessary for operations must be removed.",
+      "description": "Just as running unneeded services and protocols increase the attack surface of the web server, running unneeded utilities and programs is also an added risk to the web server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2257",
+      "title": "Administrative users and groups with access privilege to the web server must be documented. ",
+      "description": "There are typically several individuals and groups involved in running a production web-site. In most cases, several types of users on a web server can be identified, such as, SA's, Web Managers, Auditors, Authors, Developers, and the Clients.  Nonetheless, only necessary user and administrative accounts will be allowed on the web server.  Accounts will be restricted to those who are necessary to maintain web services, review the server’s operation and the OS.  Owing to the sensitivity of web servers, a detailed record of these accounts must be maintained.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2259",
+      "title": "Web server system files must conform to minimum file permission requirements.",
+      "description": "This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account running the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2261",
+      "title": "A web server must limit e-mail to outbound only.",
+      "description": "Incoming e-mails have been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, e-mail is a specialized application requiring the dedication of server resources. A production web server should only provide hosting services for web-sites. Supporting mail services on a web server opens the server to the risk of abuse as an e-mail relay. \n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2265",
+      "title": "Java software installed on the production web server must be limited to .class files and the Java Virtual Machine.",
+      "description": "Source code for a Java program is, many times, stored in files with either .java or .jpp file extensions.  From the .java and .jpp files the Java compiler produces a binary file with an extension of .class. The .java or .jpp file could therefore reveal sensitive information regarding an application's logic and permissions to resources on the server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2271",
+      "title": "Monitoring software must include CGI type files or equivalent programs.",
+      "description": "By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the server’s resources. These files make appealing targets for the malicious user. If these files can be modified or exploited, the web server can be compromised. CGI or equivalent files must be monitored by a security tool alerting the web administrator of any unauthorized changes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25994",
+      "title": "Directory Browsing must be disabled on the production web server.",
+      "description": "Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory.  If directory browsing is enabled the risk of inadvertently disclosing sensitive content is increased.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25999",
+      "title": "Unspecified file extensions must not be allowed to execute on the production web server.",
+      "description": "By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased.  This increased risk can be reduced by only allowing specific ISAPI extensions or CGI extensions to run on the web server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26006",
+      "title": "A global authorization rule to restrict access must exist on the web server.",
+      "description": "Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level.  It is recommended that URL Authorization be configured to only grant access to the necessary security principals. Configuring a global Authorization rule that restricts access ensures inheritance of the settings down through the hierarchy of web directories.  This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of unauthorized access. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-6537",
+      "title": "Anonymous access accounts must be restricted.",
+      "description": "Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6577",
+      "title": "A web server must not be co-hosted with other services.",
+      "description": "A detailed web server installation and configuration plan should be followed to provide standardization during the installation process.  The installation and configuration plan should not support the co-hosting of multiple services, such as, Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publishing service.\n\nDisallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system supporting a web server will not provide other services (e.g., domain controller, email server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any unnecessary services or protocols should be removed.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6754",
+      "title": "The use of Internet Printing Protocol (IPP) must be disabled on the IIS web server. ",
+      "description": "The use of Internet Printing Protocol (IPP) on an  IIS web server allows client’s access to shared printers.  This privileged access could allow remote code execution by increasing the web servers attack surface.  Additionally, since IPP does not support SSL, it is considered a risk and will not be deployed. ",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_iis_7.0_web_site.json

@@ -0,0 +1,299 @@
+{
+  "name": "stig_iis_7.0_web_site",
+  "date": "2017-12-21",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "IIS 7.0 WEB SITE STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-13620",
+      "title": "A private web-site must utilize certificates from a trusted DoD CA.",
+      "description": "The use of a DoD PKI certificate ensures clients the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13686",
+      "title": "Remote authors or content providers will only use secure encrypted logons and connections to upload files to the Document Root directory.",
+      "description": "Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.",
+      "severity": "high"
+    },
+    {
+      "id": "V-13688",
+      "title": "Log files must consist of the required data fields.",
+      "description": "Log files are a critical component to the successful management of an IS used within the DoD.  By generating log files with useful information web administrators can leverage them in the event of a disaster, malicious attack, or other site specific needs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13689",
+      "title": "Access to the web-site log files must be restricted.",
+      "description": "A major tool in exploring the web-site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13694",
+      "title": "Public web servers must use TLS if authentication is required.",
+      "description": "Transport Layer Security (TLS) is optional for a public web server.  However, if authentication is being performed, then the use of the TLS protocol is required.\n\nWithout the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure.  Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network.  To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.  NIST SP 800-52 specifies the preferred configurations for government systems.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13702",
+      "title": "The Content Location header must not contain proprietary IP addresses.",
+      "description": "When using static HTML pages, a Content-Location header is added to the response.  The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.",
+      "severity": "low"
+    },
+    {
+      "id": "V-13703",
+      "title": "The website must have a unique application pool.",
+      "description": "Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13704",
+      "title": "The application pool must have a recycle time set.",
+      "description": "Application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13705",
+      "title": "The maximum number of requests an application pool can process must be set.",
+      "description": "IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13706",
+      "title": "The amount of virtual memory an application pool uses must be set.",
+      "description": "IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13707",
+      "title": "The amount of private memory an application pool uses must be set.",
+      "description": "IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13708",
+      "title": "The Idle Timeout monitor must be enabled.",
+      "description": "The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received.\n\nThe purpose of this attribute is to conserve system resources; the default value for idle time-out is 20 minutes.\n\nBy default, the World Wide Web (WWW) service establishes an overlapped recycle, in which the worker process to be shut down is kept running until after a new worker process is started.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13709",
+      "title": "The maximum queue length for HTTP.sys must be managed.",
+      "description": "In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the application pool.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13710",
+      "title": "An application pool’s pinging monitor must be enabled.",
+      "description": "Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled to confirm worker processes are functional. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions; for example, instability caused by an application.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13711",
+      "title": "An application pool’s rapid fail protection must be enabled.",
+      "description": "Rapid fail protection is a feature that interrogates the health of worker processes associated with web sites and web applications. It can be configured to perform a number of actions such as shutting down and restarting worker processes that have reached failure thresholds.  By not setting rapid fail protection the web server could become unstable in the event of a worker process crash potentially leaving the web server unusable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13712",
+      "title": "An application pool’s rapid fail protection settings must be managed.",
+      "description": "Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down.  The rapid fail protection must be set to a suitable value.  A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or that it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13713",
+      "title": "The application pool identity must be defined for each web-site.",
+      "description": "The Worker Process Identity is the user defined to run an application pool. The IIS 7 worker processes, by default runs under the NetworkService account. Creating a custom identity for each application pool will better track issues occurring within each web-site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.",
+      "severity": "high"
+    },
+    {
+      "id": "V-15334",
+      "title": "Web sites must utilize ports, protocols, and services according to PPSM guidelines.",
+      "description": "Failure to comply with DoD ports, protocols, and services (PPS) requirements can result\nin compromise of enclave boundary protections and/or functionality of the AIS.\n\nThe IAM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-2226",
+      "title": "Web content directories must not be anonymously shared.",
+      "description": "Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit this access and compromise the web content or cause web server performance problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2228",
+      "title": "All interactive programs must be placed in unique designated folders.",
+      "description": "CGI & ASP scripts represent one of the most common and exploitable means of compromising a web server.  All CGI & ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the SA control over what goes into those folders and to facilitate access control at the folder level.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2229",
+      "title": "All interactive programs must have restrictive access controls.",
+      "description": "CGI is a programming standard for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and JavaScript), each having their own unique file extension.\n\nThe use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2230",
+      "title": "Backup interactive scripts must be removed from the web site.",
+      "description": "Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today to search web servers for such files and are able to exploit the information contained in them.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2240",
+      "title": "Web sites must limit the number of simultaneous requests.",
+      "description": "Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web-site, facilitating a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive). ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2245",
+      "title": "Each readable web document directory must contain a default, home, index, or equivalent document.",
+      "description": "The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2249",
+      "title": "Web server/site administration must be performed over a secure path.",
+      "description": "Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk.  Data, such as user account, is transmitted in plaintext and can easily be compromised.  When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.\n\nAn alternative to remote administration of the web server is to perform web server administration locally at the console.  Local administration at the console implies physical access to the server.",
+      "severity": "high"
+    },
+    {
+      "id": "V-2250",
+      "title": "Web-site logging must be enabled.",
+      "description": "A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2254",
+      "title": "Only web sites that have been fully reviewed and tested will exist on a production web server.",
+      "description": "In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2258",
+      "title": "Access to the web content and script directories must be restricted.",
+      "description": "Excessive permission for the anonymous web user account is a common fault contributing to the compromise of a web server. If this account is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.",
+      "severity": "high"
+    },
+    {
+      "id": "V-2260",
+      "title": "A web site must not contain a robots.txt file.",
+      "description": "Search engines are constantly at work on the Internet.  Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content.  In turn, these search engines make the content they obtain and catalog available to any public web user. \n\nTo request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt.  This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site.  This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant.  If information on the web site needs to be protected from search engines and public view, other methods must be used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2262",
+      "title": "A private web server must utilize an approved TLS version.",
+      "description": "Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2263",
+      "title": "A private web server must have a valid server certificate.",
+      "description": "This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2267",
+      "title": "Unapproved script mappings in IIS 7 must be removed.",
+      "description": "IIS 7 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 7, Request Filtering and Handler Mappings.\n\nFor Handler Mappings, the ISSO must document and approve all allowable file extensions the web site allows (white list) and denies (black list) by the web-site. The white list and black list will be compared to the Handler Mappings in IIS 7. Handler Mappings at the site level take precedence over Handler Mappings at the server level.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-26011",
+      "title": "Debug must be turned off on a production website.",
+      "description": "Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being display to users.",
+      "severity": "low"
+    },
+    {
+      "id": "V-26026",
+      "title": "The production web-site must utilize SHA2 encryption for Machine Key.",
+      "description": "The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that\nASP.NET will use for encryption.  The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, forms authentication, membership and roles, and anonymous identification. Ensuring a strong encryption method can mitigate the risk of data tampering in crucial functional areas such as forms authentication cookies or view state.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26031",
+      "title": "The production web-site must be configured to prevent detailed HTTP error pages from being sent to remote clients.",
+      "description": "HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.",
+      "severity": "low"
+    },
+    {
+      "id": "V-26034",
+      "title": "The production web-site must configure the Global .NET Trust Level.",
+      "description": "An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy.  An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26041",
+      "title": "The web-site must limit the number of bytes accepted in a request.",
+      "description": "By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks.  The maxAllowedContentLength Request Filter limits the number of bytes the server will accept in a request.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26042",
+      "title": "The production web-site must limit the MaxURL.",
+      "description": "Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content.   By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks.  The MaxURL Request Filter limits the number of bytes the server will accept in a URL.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26043",
+      "title": "The production web-site must configure the Maximum Query String limit.",
+      "description": "By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks.  The Maximum Query String Request Filter describes the upper limit on allowable query string lengths.  Upon exceeding the configured value, IIS will generate a Status Code 404.15.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26044",
+      "title": "The web-site must not allow non-ASCII characters in URLs.",
+      "description": "By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks.  The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26045",
+      "title": "The web-site must not allow double encoded URL requests.",
+      "description": "Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content.   By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks.  When the allow double escaping option is disabled it prevents attacks that rely on double-encoded requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26046",
+      "title": "The production web-site must filter unlisted file extensions in URL requests.",
+      "description": "Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content.   By setting limits on web requests it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks.  The allow unlisted property of the File Extensions Request Filter enables rejection of requests containing specific file extensions not defined in the File Extensions filter.  Tripping this filter will cause IIS to generate a Status Code 404.7.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3333",
+      "title": "The web document (home) directory must be in a separate partition from the web server’s system files.",
+      "description": "The web document (home) directory is accessed by multiple anonymous users when the web server is in production.  By locating the web document (home) directory on the same partition as the web server system file the risk for unauthorized access to these protected files is increased.  Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3963",
+      "title": "Indexing Services must only index web content.",
+      "description": "The indexing service can be used to facilitate a search function for web-sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6373",
+      "title": "The required DoD banner page must be displayed to authenticated users accessing a DoD private website.",
+      "description": "A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6531",
+      "title": "A private web-sites authentication mechanism must use client certificates.\n",
+      "description": "A DoD private web-site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web-sites.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6724",
+      "title": "All web-sites must be assigned a default Host header.",
+      "description": "In order to reduce the possibility of DNS rebinding attacks and IP-based scans, all web-sites allowing HTTP/HTTPS over ports 80/443 will be assigned default Host headers.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6755",
+      "title": "Directory Browsing must be disabled.",
+      "description": "The Directory Browsing feature can be used to facilitate a directory traversal exploit. Directory browsing must be disabled.",
+      "severity": "medium"
+    }
+  ]
+}