WEB-ChkSht-Dec02 MSE安全攻防资料 checklist

Cat I Cat II Cat III Cat IV 1 WEB SERVICES SRR RESULTS REPORT WORKSHEET DECEMBER 2002 V3 R1 Reviewer Date Finding Totals Comments Category I Category II Category III Category IV Total Site Information Site Web Instance Url System Administrator Systems Programmer Information Name E mail Address Phone Commercial DSN ISSO ISSM Information Name E mail Address Phone Commercial DSN Web Manager Information Name E mail Address Phone Commercial DSN System Information System Host Name Domain Standalone DNS Hostname DNS Domain TCP IP Address es TCP IP Address es Cat I Cat II Cat III Cat IV 2 System Information Hardware Description include CMOS System Location building room Console Location System Classification UNCLASSIFIED SECRET CONFIDENTIAL Operating System s used on this system Windows NT Server 4 0 Solaris ver Windows NT Workstation 4 0 HP UX ver Windows 2000 Server Other UNIX Name ver Mainframe OS Name Ver Server Type System Workload Open Administrative Limited Application Certificate based Database App Other Explain Database Directory For Server Type see Web Application STIG Table 1 page 2 or Web Application Checklist Procedures page 11 Other Web Server Software circle one Apache Ver IIS 4 0 IIS 5 0 IIS 5 1 IIS 6 0 Netscape Ver Cat I Cat II Cat III Cat IV 3 ESM Manager Name Policy ID If the server type is Open all Limited and Certificate based checks will be marked NA Conversely if the server type is Limited and Certificate based all Open checks will be marked NA For a Microsoft IIS web server all WN checks will be marked NA For an iPlanet Netscape or SUN ONE vweb server all WI checks will be marked NA UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 4 Finding Details Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 17 Finding Not a Finding Not Applicable Not Reviewed Documented procedures for reviewing content prior to posting to a production web server are not present WA030Web content is not reviewed and approved by proper authorities prior to posting to the production web server III Check Proce dures page 18 Finding Not a Finding Not Applicable Not Reviewed Site is unaware of ISP agreements ISP agreements have not been approved by the appropriate office Site uses NIPRNet or SIPRNet services WA040Agreements with Internet Service Providers ISP are not approved III Check Proce dures page 19 Finding Not a Finding Not Applicable Not Reviewed Staff is not trained in the technology being used Staff training does not match technology in use Staff training is scheduled Staff is migrating to a new technology WA050Trained staff are not available to respond to web server or web content problems III Check Proce dures page 20 Finding Not a Finding Not Applicable Not Reviewed DNS in use is not on DISANet DNS provided cannot be verified System not using DNS WG020The web server is not configured to use local DISA or related mil Domain Name Services DNS III UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 5 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 21 Finding Not a Finding Not Applicable Not Reviewed Network Diagram not available Server being reviewed is not reflected on the network diagram Web server is acting as both an open and limited web server Site does not have a firewall Mark as NA for a Limited web server WA060An Open web server is not isolated in accordance with the DISA STIG on Enclave Security i e Server is not in a DMZ screened subnet II Check Proce dures page 22 Finding Not a Finding Not Applicable Not Reviewed Open web server shares directories with a Limited or Certificate based web server Open web server shares a printer with other site assets which are not open public assets Open web server relies upon a data base or other server not in the DMZ Mark as NA for a Limited web server WG040An Open web server has a trust relationship with a site asset which is not a public open asset II Check Proce dures page 24 Finding Not a Finding Not Applicable Not Reviewed Site does not have a firewall Limited or Certificate based web server is not located inside the premise router Site uses a switch to isolate internal LAN Mark as NA for an Open web server WA070A Limited or Certificate based web server is not located inside the premise router or firewall II Check Proce dures page 25 Finding Not a Finding Not Applicable Not Reviewed No IP restriction in use No domain restriction in use Certificate is installed but encryption is not in use Certificate is called for but is absent Userid is required but not a password WA080ISSO has not implemented an appropriate method to limit access to the Limited or Certificate based web servers per the Enclave Security Instruction STIG II UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 6 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 27 Finding Not a Finding Not Applicable Not Reviewed Account does not exist for the web service Account used is the SA or Web Managers account In the case of IIS the account used the web service is the System account WG050The ISSO has not entrusted the web services password to the SA or Web Manager II Check Proce dures page 29 Finding Not a Finding Not Applicable Not Reviewed No password policy associated with this account Default passwords not changed Password policy is set to never expire WG060The ISSO has not ensured that the web services password is changed at least annually III Check Proce dures page 30 Finding Not a Finding Not Applicable Not Reviewed Compiler file found at Suspicious file found WG080A compiler will not be installed on a production server II Check Proce dures page 31 Finding Not a Finding Not Applicable Not Reviewed Server is also a PDC Server is also a BDC Server is also a DC WIN2K WG090A web server will not be installed on the same platform as a Microsoft Domain Controller II Check Proce dures page 32 Finding Not a Finding Not Applicable Not Reviewed Termination Timeout is Termination Timeout parameter missing from magnus conf WN010In a Netscape web server the Termination Timeout will be set to one 1 second or less III UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 7 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 33 Finding Not a Finding Not Applicable Not Reviewed Simultaneous Requests are set to unlimited in IIS MaxKeepAlive Requests are set to 0 in Apache httpd conf file RqThrottle is greater than 3000 in Netscape magnus conf file WG110The number of simultaneous requests that a web server allows is set to unlimited II Check Proce dures page 34 Finding Not a Finding Not Applicable Not Reviewed Fancy indexing is set to on WN020For Netscape web servers automatic directory indexing is not turned off III Check Proce dures page 35 Finding Not a Finding Not Applicable Not Reviewed Found FrontPage Found MS Office Found MS Money Found WordPerfect Found StarOffice Found WG130All utility programs not necessary for operations are not removed or disabled III Check Proce dures page 36 Finding Not a Finding Not Applicable Not Reviewed No default index html or equivalent file is present in the content directory WG170Each readable web document directory does not contain either a default home index or equivalent file III Check Proce dures page 38 Finding Not a Finding Not Applicable Not Reviewed Web server software is not vendor supported WG190The web server is not using a vendor supported version of the web server software II UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 8 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 40 Finding Not a Finding Not Applicable Not Reviewed Web user account has excessive permissions Web developer account has excessive permissions account has excessive permissions WG200Non administrators are allowed access to the directory tree the shell or other operating system functions and utilities II Check Proce dures page 42 Finding Not a Finding Not Applicable Not Reviewed Web server system files and web document root are in the same directory Web server operating system files are in the same directory as the web document root WG205The web document directory will be in a separate directory or partition from the web server s system files II Check Proce dures page 43 Finding Not a Finding Not Applicable Not Reviewed A web content or scripts cgi directory is listed in the etc dfs dfstab file Web sharing or sharing is listed as a property of a web content or scripts directory NFS is used but not for the web root directory Directory is shared as WG210Web content directories are network sharable II Check Proce dures page 45 Finding Not a Finding Not Applicable Not Reviewed A none SA or Web Manager has access to Netscape Admin Server MMC ISM httpd conf WG220Access to the web administration tool is not restricted to the Web Manager or Webmaster or their designees II Check Proce dures page 47 Finding Not a Finding Not Applicable Not Reviewed SSL is not being used https SSH in lieu of telnet is not being used WG230Web server administration is not performed over a secure path II UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 9 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 49 Finding Not a Finding Not Applicable Not Reviewed Logging is not enabled Logs are written to default location Logs are not capturing required data WG240Web server logs are not maintained III Check Proce dures page 51 Finding Not a Finding Not Applicable Not Reviewed The auditors group does not exist SA or Web Manager have full control of the web logs directory WG250The ISSO will ensure that only the Auditors group has greater than read access to log files II Check Proce dures page 53 Finding Not a Finding Not Applicable Not Reviewed Ref is DISA WESTHEM Security Handbook 3 3 2 d Site is non WESTHEM No one available with knowledge of site s procedure for this item WA110Web server access logs are not archived in accordance with the DISA WESTHEM Security Handbook III Check Proce dures page 54 Finding Not a Finding Not Applicable Not Reviewed Web pages stating Under Construction or equivalent wording or graphics were found on a production server WG260Locations on a web site that are still under development will not exist on a production server III Check Proce dures page 55 Finding Not a Finding Not Applicable Not Reviewed The anonymous web user account has change or write access to the htpasswd file or directory Site does not use this method for login WG270The web server s htpasswd files if present do not reflect proper ownership and permissions III UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 10 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 56 Finding Not a Finding Not Applicable Not Reviewed htaccess file has excessive permissions nsconfig file has excessive permissions metabase bin file has excessive permissions syadmin cfg file has excessive permissions WG280Web server access control files will be owned by a non privileged web server account and have permissions of 460 II Check Proce dures page 58 Finding Not a Finding Not Applicable Not Reviewed A chart or document detailing those having access to web server administration does not exist A chart or document detailing those having access to web server content maintenance functions does not exist Individuals have dual roles Other roles are directed by parent organization WA120The Web Manager or Webmaster has not documented the administrative users and groups which have access rights to the web server III Check Proce dures page 59 Finding Not a Finding Not Applicable Not Reviewed Web user or client account has excessive permissions WG290The web client account access to the content and scripts directories is not limited to read and execute or in the case of IIS script access II Check Proce dures page 60 Finding Not a Finding Not Applicable Not Reviewed httpd conf has excessive permissions magnus conf has excessive permissions obj conf is has excessive permissions metabase bin has excessive permissions syadmin cfg has excessive permissions WG300Web server files to include httpd conf metabase bin and magnus conf and obj conf will have permissions of 650 or more restrictive II Check Proce dures page 63 Finding Not a Finding Not Applicable Not Reviewed robots txt file does not exist IP Address restrictions are not in use Domain restrictions are not in use WG310A Limited or Certificate based web server responds to requests from public search engines III UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 11 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 65 Finding Not a Finding Not Applicable Not Reviewed An SMTP server is set to relay email Cmail was found The email server was found WG330An Open web server does not limit email to outbound only II Check Proce dures page 67 Finding Not a Finding Not Applicable Not Reviewed Access restrictions are in use without using encryption WG340A Limited or Certificate based web server is not using SSL III Check Proce dures page 68 Finding Not a Finding Not Applicable Not Reviewed Web site has a Verisign Certificate Web site has a Microsoft Certificate Web server does not have a DISA Certificate Web site has other DoD Certificate WG350A Limited or Certificate based computer system that executes a web application does not have a DoD Certificate II Check Proce dures page 69 Finding Not a Finding Not Applicable Not Reviewed Symbolic links were found in dir Soft links are enabled for dir WG360Symbolic links are allowed in the web document directory tree III Check Proce dures page 70 Finding Not a Finding Not Applicable Not Reviewed URLScan is not installed URLScan is installed but not in use WI040In the case of web server using IIS UrlScan is not being used II Check Proce dures page 72 Finding Not a Finding Not Applicable Not Reviewed Developers are allowed to install their scripts directly to the web server Debugging of scripts occurs on a production server WA130Scripts are not reviewed by a CCB or technical group and installation of scripts on the web server is not controlled III UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 12 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 73 Finding Not a Finding Not Applicable Not Reviewed Application mapping to com bat or cmd was found A mime type of application x csh was found WG370The shell bin csh is enabled as a viewer for documents of type application x csh on a UNIX web server II Check Proce dures page 74 Finding Not a Finding Not Applicable Not Reviewed Sample code from default installation is present The following vulnerable script was found The script was found and its function could not be explained WG380Vulnerable programs have not been removed from the web server II Check Proce dures page 76 Finding Not a Finding Not Applicable Not Reviewed IUSR computername account has full control permissions The nobody or anonymous web user account has excessive permissions parent paths are enabled for asp files WG400The CGI script directory or equivalent has improper access controls II Check Proce dures page 78 Finding Not a Finding Not Applicable Not Reviewed IUSR computername account has full control permissions The nobody or anonymous web user account has excessive permissions parent paths are enabled for asp files WG410CGI scripts do not have proper access controls II Check Proce dures page 80 Finding Not a Finding Not Applicable Not Reviewed files foundWG420CGI backup scripts are present in web server directories II UNCLASSIFIED Web Services Checklist V3Field Security Operations December 2002Defense Information Systems Agency Cat I Cat II Cat III Cat IV 13 Procedure Section Headings Finding InformationPDI Information Man ScriptStatusDetailsPDIDescriptionCat Check Proce dures page 81 Finding Not a Finding Not Applicable Not Reviewed Scripts directory is accessible cgi bin directory is accessible WG430Anonymous FTP users can access CGI scripts II Check Proce dures page 82 Finding Not a Finding Not Applicable Not Reviewed The Axent ESM is not installed The Axent ESM policy template does not include the directory A tool to monitor changes to scripts is not in use WG440Axent Enterprise Security Manager or equivalent monitoring software does not include CGI or equivalent programs in the set of files which it checks II Check Proce dures page 83 Finding Not a Finding Not Applicable Not Reviewed asp files found in document dir pl files found in document dir cgi files found in document dir WG450CGI or equivalent source scripts are pre