Web Server. Security Technical Implementation Guide. Version 6, Release 1.

摘要

Web servers provide access to data intended for a remote audience. This data may be intended for a restricted audience or it may be releasable to the general public. The web server must be capable of protecting the restricted data, as well as protecting data intended for a general audience. Immediate risks inherent to this role are external attack and accidental exposure. Although security controls such as firewalls, Intrusion Detection Systems (IDSs), and baseline integrity checking tools offer some defense against malicious activity, security for web servers is best achieved through a comprehensive defense-in-depth strategy. This strategy includes, but is not limited to, server configuration to prevent system compromise, operational procedures for posting data to avoid accidental exposure, proper placement of the server within the network infrastructure, and the allowance or denial of ports, protocols, and services used to access the web server. The purpose of this STIG is to assist Department of Defense (DoD) sites in planning web server deployment and securing already-deployed web servers in an effort to achieve the minimum requirements, standards, controls, and options for secure web server operations.