/export/home should be configured on an appropriate filesystem logical volume logical volume via fstab 10.8.10.4.2.1 (5) /var should be configured on an appropriate filesystem logical volume logical volume via fstab 10.8.10.4.2.1 (5) /opt should be configured on an appropriate filesystem logical volume logical volume via fstab 10.8.10.4.2.1 (5) The shell for the root account should be located on the appropriate filesystem filesystem via /etc/passwd 10.8.10.4.2.1 (6) Core dump size limits should be set appropriately Size (0 to disable core dumps) via /etc/security/limits via ulimit 10.8.10.4.4 (3) The read-only SNMP community string should be set appropriately. string via /etc/snmp.conf 10.8.10.5.1 (1) c) The read/write SNMP community string should be set appropriately. string via /etc/snmp.conf 10.8.10.5.1 (1) c) Password policy should ban or allow usernames or UIDs in passwords as appropriate ban/allow via /etc/security/user 10.8.10.5.1 (2) a) Password policy should ban or allow words found in a dictionary as appropriate. ban/allow via /etc/security/user 10.8.10.5.1 (2) a) Password policy should enforce the correct amount of special characters number of special characters via /etc/security/user 10.8.10.5.1 (2) a) Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate. enforce/not enforce via /etc/security/user 10.8.10.5.1 (2) a) The minimum password age should be set as appropriate number of days via /etc/security/user 10.8.10.5.1 (2) b) The minimum required password length should be set as appropriate number of characters via /etc/security/user 10.8.10.5.1 (2) c) Password history should be saved for an appropriate number of password changes number of password changes via /etc/security/user 10.8.10.5.1 (2) d) The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate number of consecutive failed login attempts via /etc/security/user 10.8.10.5.1 (2) e) Login access to accounts without passwords should be enabled or disabled as appropriate enabled/disabled via passwd via /etc/shadow 10.8.10.5.1 (2) f) New users should be required or not required to change their password on first login as appropriate required/not required via /etc/security/passwd 10.8.10.5.1 (2) g) Access to single-user mode (maintainence mode) should require the root password or not as appropriate required/not required 10.8.10.5.1 (3) The delay between failed logins should be set as appropriate number of seconds via /etc/security/user 10.8.10.5.1 (5) All files should be owned by an existing account or not as appropriate. existing account required / existing account not required via chown 10.8.10.5.2 (3) All files should be owned by an existing group or not as appropriate. existing group required / existing group not required via chgrp via chown 10.8.10.5.2 (3) The console login banner should be set appropriately. banner text or null via /etc/security/login.cfg via /etc/motd 10.8.10.5.2 (5) a) The SSH login banner should be set appropriately. banner text or null via sshd.conf 10.8.10.5.2 (5) b) The telnet login banner should be set appropriately. banner text or null 10.8.10.5.2 (5) c) The ftp login banner should be set appropriately. banner text or null 10.8.10.5.2 (5) d) The graphical login banner should be set appropriately. banner text or null 10.8.10.5.2 (5) e) Accounts other than root should be allowed to have the UID 0 or not as appropriate allowed/not allowed via passwd via /etc/passwd 10.8.10.5.2.1 (2) a) Accounts other than root and locked system accounts should be allowed to have a GID of 0 or not as appropriate allowed/not allowed via passwd via /etc/passwd 10.8.10.5.2.1 (2) b) Each account should be assigned a unique UID or not as appropriate unique/not unique via /etc/passwd 10.8.10.5.2.4 (3) The ftp account should exist or not as appropriate exist/not exist via /etc/passwd 10.8.10.5.2.4 (9) Login accounts should include an appropriate GECOS identifier or no GECOS identifier GECOS value, null via /etc/passwd 10.8.10.5.2.4.1 (1) The screen lock should activate after an appropriate period of inactivity number of minutes via Xscreensaver via dtsession 10.8.10.5.2.5 (1) File permissions should be set appropriately for all shell executables. permissions via chmod 10.8.10.5.2.6 (1) Remote (serial) consoles should be enabled or disabled as appropriate. enabled/disabled via BIOS 10.8.10.5.2.6 (3) Root logins should be restricted to the console or not as appropriate. restricted/not restricted /etc/default/login 10.8.10.5.2.6 (4) .netrc files should exist or not as appropriate for all users. exist/not exist filesystem 10.8.10.5.2.6 (6) .rhosts files should exist or not as appropriate for all users. exist/not exist filesystem 10.8.10.5.2.6 (6) .shosts files should exist or not as appropriate for all users. exist/not exist filesystem 10.8.10.5.2.6 (6) The /etc/hosts.equiv file should exist or not as appropriate. exist/not exist filesystem 10.8.10.5.2.6 (6) The use of NIS special characters (+ or -) in the first field of the /etc/passwd file should be allowed or disallowed as appropriate. allowed/not allowed Text editor 10.8.10.5.2.6 (7) The use of NIS special characters (+ or -) in the first field of the /etc/shadow file should be allowed or disallowed as appropriate. allowed/not allowed Text editor 10.8.10.5.2.6 (7) The use of NIS special characters (+ or -) in the first field of the /etc/group file should be allowed or disallowed as appropriate. allowed/not allowed Text editor 10.8.10.5.2.6 (10) The /etc/shells file should exist or not as appropriate exist/not exist Text editor 10.8.10.5.2.6 (11) Shells referenced in /etc/passwd should be included in /etc/shells or not as appropriate included/not included /etc/shells 10.8.10.5.2.6 (12) Groups referenced in /etc/passwd should be included in /etc/group or not as appropriate. included/not included /etc/group 10.8.10.5.2.6 (15) The home directory for the root account should be set appropriately. path /etc/passwd 10.8.10.5.2.6 (16) The home directory for each user account should be set appropriately. path /etc/passwd 10.8.10.5.2.6 (17) Home directories referenced in /etc/passwd should exist or not as appropriate exist/not exist filesystem 10.8.10.5.2.6 (18) All device files should be located inside an appropriate directory path filesystem 10.8.10.5.2.6 (24) The ntpd service should be enabled or disabled as appropriate. enabled/disabled via RC scripts 10.8.10.5.3 (3) The Network Time Protocol (ntp) synchronization server should be set appropriately. timeserver ntpd.conf All logon attempts should be logged or not logged as appropriate logged/not logged Audit subsystem 10.8.10.5.3 (4) All su (switch user) activity should be logged or not as appropriate logged/not logged Audit subsystem 10.8.10.5.3 (5) Filesystem logging/journaling should be performed or not as appropriate performed/not performed Audit subsystem 10.8.10.5.3 (6) Automount should be enabled or disabled as appropriate enabled/disabled 10.8.10.5.4.1 (12) Source-routed packets should be accepted or rejected as appropriate. accepted/rejected 10.8.10.5.4.1 (2) a) Response to ICMP timestamp requests should be enabled or disabled as appropriate enabled/disabled 10.8.10.5.4.1 (2) c) Response to ICMP timestamp broadcast requests should be enabled or disabled as appropriate enabled/disabled 10.8.10.5.4.1 (2) d) Response to ICMP echo (ping) requests should be enabled or disabled as appropriate enabled/disabled 10.8.10.5.4.1 (2) e) Executable stack should be enabled or disabled as appropriate enabled/disabled 10.8.10.5.4.1 (3) The default gateway should be set appropriately. IP address/disabled via /etc/default/route.conf 10.8.10.5.4.1 (4) The inetd service should be enabled or disabled as appropriate. enabled/disabled via RC scripts 10.8.10.5.4.1 (5) echo service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #1 netstat service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #2 rcp service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #3 chargen service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #4 finger service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #5 tftpd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #6 walld service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #7 rstatd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #8 sprayd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #9 rusersd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #10 rlogin service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #11 rsh service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #12 ftp service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #13 telnet service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #14 DEPRECATED. inn service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #16 uucp service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #17 rexec service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #18 inetd logging should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #19 font-service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #20 imap2 service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #21 pop3 service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #22 ident service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #23 rexd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #24 daytime service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #26 dtspc (cde-spc) service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #27 rquotad service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #28 cmsd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #29 tooltalk service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #30 xdmcp service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #31 discard service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #32 DEPRECATED. vino-server service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #34 The bind service should be enabled or disabled as appropriate. enabled/disabled via RC scripts 10.8.10.5.4.1.1 (2) The version string reported by the bind service should be configured appropriately. string via /etc/named.conf 10.8.10.5.4.1.1 (5) SSH Protocol v1 should be enabled or disabled as appropriate enabled/disabled /etc/ssh/ssh_config 10.8.10.5.4.1.2 (2) TCP_WRAPPERS should be enabled or disabled as appropriate enabled/disabled via inetd.conf 10.8.10.5.4.1.3 (1) SNMP version 1 should be enabled or disabled as appropriate enabled/disabled 10.8.10.5.4.1.4 (1) The nfsd service should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.1.5 (1) The mountd service should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.1.5 (1) The statd service should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.1.5 (1) The lockd service should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.1.5 (1) NFS should be configured to respond or not as appropriate to client requests that do not include a user id . respond/not respond 10.8.10.5.4.1.5 (1) a) NFS should be configured to respond or not as appropriate to client requests that do not originate from a privileged port. respond/not respond 10.8.10.5.4.1.5 (1) a) NFS server support for the AUTH_NONE authentication mechanism should be enabled or disabled as appropriate. enabled/disabled 10.8.10.5.4.1.5 (1) f) NFS server support for the AUTH_UNIX authentication mechanism should be enabled or disabled as appropriate. enabled/disabled 10.8.10.5.4.1.5 (1) f) NFS server support for the AUTH_DES authentication mechanism should be enabled or disabled as appropriate. enabled/disabled 10.8.10.5.4.1.5 (1) f) NFS server support for the AUTH_KERB authentication mechanism should be enabled or disabled as appropriate. enabled/disabled 10.8.10.5.4.1.5 (1) f) The read-only (ro) option should be enabled or disabled as appropriate for all NFS exports. enabled/disabled via /etc/exports 10.8.10.5.4.1.5 (1) g) The nosuid option should be enabled or disabled for all NFS mounts as appropriate enabled/disabled via /etc/fstab 10.8.10.5.4.1.5 (1) i) The nosgid option should be enabled or disabled for all NFS mounts as appropriate enabled/disabled via /etc/fstab 10.8.10.5.4.1.5 (1) i) Sendmail should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.2.2 (1) The sendmail banner should be set appropriately. string via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (3) The decode sendmail alias should be enabled or disabled as appropriate. enabled/disabled via /etc/aliases via /usr/lib/aliases 10.8.10.5.4.2.2 (4) c) .forward files should be allowed or disallowed as appropriate for all users allow/disallow via rm 10.8.10.5.4.2.2 (4) e) Programs executed through the aliases file should be owned by an appropriate user user via chown 10.8.10.5.4.2.2 (4) f) Programs executed through the aliases file should reside a directory with an appropriate user owner user via chown 10.8.10.5.4.2.2 (4) f) Sendmail vrfy command should be allowed or not as appropriate allow/disallow via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (4) g) Sendmail expn command should be allowed or not as appropriate allow/disallow via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (4) h) Sendmail should be configured with an appropriate logging level logging level via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (4) i) The sendmail help command should be allowed or not as appropriate allow/disallow via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (4) k) NIS should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.2.3 (1) NIS+ server should operate at an appropriate security level security level via NIS+ via RC scripts 10.8.10.5.4.2.3 (1) b) X-Windows should be enabled or disabled as appropriate enabled/disabled via Xwindows via /etc/inittab vi RC scripts 10.8.10.5.4.2.4 (1) Authorized X-clients should be listed or not in the X*.hosts file as appropriate listed/not listed via /etc/X*.hosts 10.8.10.5.4.2.4 (2) b) X-Windows should write .Xauthority files to users' home directories or not as appropriate write/not write via xdm via gdm via kdm 10.8.10.5.4.2.4 (2) d) X11 forwarding via SSH should be enabled or disabled as appropriate. enabled/disabled via sshd_config 10.8.10.5.4.2.4 (2) f) Samba should be enabled or disabled as appropriate enabled/disabled via smbd via RC scripts 10.8.10.5.4.2.6 (1) Samba 'hosts allow' option should be configured with an appropriate set of networks list of networks via smbd via smb.conf 10.8.10.5.4.2.6 (3) a) Samba 'security option' option should be set as appropriate via smbd via smb.conf 10.8.10.5.4.2.6 (3) b) Samba 'encrypt' passwords option should be set as appropriate yes/no via smbd via smb.conf 10.8.10.5.4.2.6 (3) c) Samba 'smb passwd file' option should be set to an appropriate password file or no password file file/nothing via smbd via smb.conf 10.8.10.5.4.2.6 (3) d) IPv6 should be enabled or disabled as appropriate enabled/disabled via SMIT 10.8.10.5.4.3 (1) The "at" utility directory permissions should be set as appropriate permissions via chmod 10.8.10-1 A.1 1) #1 at.allow file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #2 at.deny file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #2 Cron directory permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #5 Crontab directory permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #5 Cron log file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #6 cron.allow file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #7 cron.deny file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #7 Crontab file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #8 /dev/kmem file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #9 /dev/mem file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #10 /dev/null file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #11 resolv.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #13 /etc/named.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #14 File permissions should be set appropriately for all user home directories. permissions via chmod 10.8.10-1 A.1 1) #21 /etc/exports file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #23 /usr/bin/at file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #25 /usr/bin/rdist file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #26 /usr/sbin/sync file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #27 Superuser account home directories' permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #29 /etc/samba/smb.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #31 smbpassword executable permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #32 Aliases file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #34 File permissions should be set as appropriate for the log file configured to capture critical sendmail messages. permissions via chmod 10.8.10-1 A.1 1) #35 All files executed through /etc/aliases file entries should have file permissions set appropriately permissions via chmod 10.8.10-1 A.1 1) #36 /bin/csh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #37 /bin/jsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #38 /bin/ksh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #39 The /bin/rsh file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #40 /bin/sh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #41 /bin/bash file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #42 /sbin/csh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #43 /sbin/jsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #44 /sbin/ksh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #45 The /sbin/rsh file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #46 /sbin/sh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #47 /sbin/bash file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #48 /usr/bin/csh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #49 /usr/bin/jsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #50 /usr/bin/ksh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #51 The /usr/bin/rsh file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #52 /usr/bin/sh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #53 /usr/bin/bash file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #54 snmpd.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #56 /tmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #57 /usr/tmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #58 traceroute executable file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #59 .Xauthority file permissions should be set appropriately for all users. permissions via chmod 10.8.10-1 A.1 1) #60 /etc/aliases file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #61 /etc/cron.d/at.allow file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #62 /etc/cron.d/cron.allow file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #63 /etc/csh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #64 /etc/default/* file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #65 /etc/default/login file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #66 The /etc/ftpusers file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #69 /etc/host.lpd file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #70 /etc/hostname* file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #71 /etc/hosts file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #72 /etc/inetd.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #73 /etc/issue file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #75 /etc/jsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #76 /etc/ksh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #77 /etc/mail/aliases file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #78 /etc/motd file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #79 /etc/netconfig file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #80 /etc/notrouter file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #81 /etc/pam.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #82 /etc/passwd file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #83 The /etc/rsh file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #84 /etc/security file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #85 /etc/services file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #86 /etc/sh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #87 /etc/shadow file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #88 /etc/syslog.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #89 DEPRECATED. /etc/fstab file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #91 DEPRECATED. /var/adm/loginlog file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #93 /var/adm/messages file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #94 /var/adm/sulog file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #95 /var/adm/utmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #96 /var/adm/wtmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #97 /var/adm/authlog file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #98 /var/adm/syslog file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #99 /var/mail file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #100 /var/tmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #101 /usr/lib/pt_chmod file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #103 /usr/lib/embedded_us file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #104 /usr/lib/sendmail file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #105 /usr/kerberos/bin/rsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #107 /var/spool/mail file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #108 smbpassword file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #109 At directory should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #1 At directory should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #1 at.allow file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #2 at.allow file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #2 at.deny file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #2 at.deny file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #2 Cron directories should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #4 Cron directories should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #4 Crontab directories should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #4 Crontab directories should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #4 cron.allow file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #5 cron.allow file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #5 cron.deny should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #5 cron.deny data should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #5 crontab files should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #6 crontab files should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #6 /etc/resolv.conf file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #7 /etc/resolv.conf file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #7 /etc/named.boot file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #7 /etc/named.boot file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #7 /etc/named.conf file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #7 /etc/named.conf file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #7 Each user home directory should be owned by an appropriate user. user via chown 10.8.10-1 A.1 2) #11 Each user home directory should be owned by an appropriate group. group via chgrp via chown 10.8.10-1 A.1 2) #11 inetd.conf file should be owned by an appropriate user user via chown 10.8.10-1 A.1 2) #12 inetd.conf file should be owned by an appropriate group group via chgrp via chown 10.8.10-1 A.1 2) #12 /etc/exports should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #13 /etc/exports should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #13 Exported files and directories should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #14 Exported files and directories should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #14 /etc/services file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #16 /etc/services file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #16 /etc/notrouter file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #18 /etc/notrouter file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #18 /etc/samba/smb.conf file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #21 /etc/samba/smb.conf file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #21 smbpasswd executable should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #22 smbpasswd executable should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #22 aliases file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #24 aliases file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #24 The log file configured to capture critical sendmail messages should be owned by the appropriate user. list of users via chown 10.8.10-1 A.1 2) #25 The log file configured to capture critical sendmail messages should be owned by the appropriate group. list of groups via chgrp via chown 10.8.10-1 A.1 2) #25 Programs executed through aliases file entries should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #26 Programs executed through aliases file entries should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #26 Shell files should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #27 Shell files should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #27 snmpd.conf file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #29 snmpd.conf file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #29 /etc/syslog.conf file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #30 /etc/syslog.conf file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #30 traceroute executable should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #31 traceroute executable should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #31 /usr/lib/sendmail file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #32 /usr/lib/sendmail file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #32 /etc/passwd file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #35 /etc/passwd file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #35 /etc/shadow file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #36 /etc/shadow file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #36 smbpasswd file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #37 smbpasswd file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #37 Environmental variable PATH for superuser accounts should or should not contain world-writable files as appropriate should/should not via chmod via profile 10.8.10-1 A.2 1) #1 Environmental variable PATH for superuser accounts should not contain the current directory as the first or last entry should/should not via local init files 10.8.10-1 A.2 1) #2 The current working directory should or should not be added to the environmental variable PATH by global initialization files as appropriate should/should not via local init files 10.8.10-1 A.2 1) #3 The current working directory should or should not be added to the environmental variable PATH by local initialization files as appropriate should/should not via local init files 10.8.10-1 A.2 1) #4 DEPRECATED. The current working directory should or should not be added to the environmental variable PATH by run control scripts as appropriate should/should not 10.8.10-1 A.2 1) #7 The system umask should be set appropriately umask via global init files 10.8.10-1 A.2 1) #8 The user umask should be set appropriately umask via local init files 10.8.10-1 A.2 1) #8 The cron.allow file should be configured with the set of users permitted to use the cron facility as appropriate. list of users Text editor The cron.deny file should be configured with the set of users not permitted to use the cron facility as appropriate. list of users Text editor Cron logging should be enabled or disabled as appropriate enabled/disabled 10.8.10-1 A.3 4) The at.allow file should be configured with the set of users permitted to use the at facility as appropriate. list of users Text editor The at.deny file should be configured with the set of users not permitted to use the at facility as appropriate. list of users Text editor /etc/security/audit/config file permissions should be set appropriately permissions via chmod 10.8.10-5 E.1 1) #1 /etc/security/audit/events file permissions should be set appropriately permissions via chmod 10.8.10-5 E.1 1) #2 /etc/security/audit/objects file permissions should be set appropriately permissions via chmod 10.8.10-5 E.1 1) #3 /usr/lib/trcload file permissions should be set appropriately permissions via chmod 10.8.10-5 E.1 1) #5 /usr/lib/semutil file permissions should be set appropriately permissions via chmod 10.8.10-5 E.1 1) #6 /etc/security/audit/config file should be owned by an appropriate user list of users via chown 10.8.10-5 E.1 1) #1 /etc/security/audit/events file should be owned by an appropriate user list of users via chgrp via chown 10.8.10-5 E.1 1) #2 /etc/security/audit/objects file should be owned by an appropriate user list of users via chown 10.8.10-5 E.1 1) #3 /usr/lib/trcload file should be owned by an appropriate user list of users via chown 10.8.10-5 E.1 1) #5 /usr/lib/semutil file should be owned by an appropriate user list of users via chown 10.8.10-5 E.1 1) #6 /etc/security/audit/config file should be owned by an appropriate group list of groups via chown 10.8.10-5 E.1 1) #1 /etc/security/audit/events file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-5 E.1 1) #2 /etc/security/audit/objects file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-5 E.1 1) #3 /usr/lib/trcload file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-5 E.1 1) #5 /usr/lib/semutil file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-5 E.1 1) #6 The authentication mechanism (SYSTEM attribute) should be set appropriately for each user authentication system via /etc/security/user 10.8.10-5 E.1 2) Trusted Computing Base should be installed or not as appropriate installed/not installed via /etc/security/user 10.8.10-5 E.2 1) Auditing should be enabled or disabled as appropriate in runcontrol scripts enabled/disabled via /etc/inittab via RC scripts 10.8.10-5 E.3 1) BIN mode auditing should be enabled or disabled as appropriate enabled/disabled via /etc/security/audit/config 10.8.10-5 E.3 2) Accounts should be present or absent from the audit config file as appropriate present/absent via /etc/security/audit/config 10.8.10-5 E.3 3) System logons should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #1 System logoffs should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #2 Password changes should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #3 su usage should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #4 Creation/modification of superuser groups should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #5 Startup/shutdown of audit functions should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #9 Certificate revocation should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #10 Remote access from outside the corporate network should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #11 Use of chown command should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #13 File permissions of the rcp binary should be set correctly permissions via chmod 10.8.10-5 E.4 1) File permissions of the rlogin binary should be set correctly permissions via chmod 10.8.10-5 E.4 1) File permissions of the rlogind binary should be set correctly permissions via chmod 10.8.10-5 E.4 1) File permissions of the rsh binary should be set correctly permissions via chmod 10.8.10-5 E.4 1) File permissions of the rshd binary should be set correctly permissions via chmod 10.8.10-5 E.4 1) File permissions of the tftp binary should be set correctly permissions via chmod 10.8.10-5 E.4 1) File permissions of the tftpd binary should be set correctly permissions via chmod 10.8.10-5 E.4 1) Global initialization files should allow or deny write access to the terminal as appropriate allow/deny via global init files 10.8.10-5 E.5 1) #1 Netrc should be configured with an appropriate set of services list of services via /etc/security/sysck.cfg 10.8.10-5 E.4 1) Change of file ownership should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #13 Use of chmod command should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #13 Certificate creation should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #10 Certificate deletion should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #10 Certificate retrieval should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #10 Startup or shutdown of the audit process should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #9 Use of chgrp should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #5 Use of mkgroup should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #5 Use of rmgroup should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #5 Use of change user functions should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #4 Terminal logoffs should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #2 Exit function usage should be audited or not as appropriate audited/not audited via /etc/security/audit/config 10.8.10-5 E.3 4) #2 Hard core dump size limits should be set appropriately Size (0 to disable core dumps) via /etc/security/limits ulimit 10.8.10.4.4 (3) Remote root logins via SSH should be allowed or not as appropriate. allowed/not allowed via /etc/ssh/sshd_config 10.8.10.5.2.6 (4) Apache's configuration directory should be owned by the appropriate group. (1) group (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 Apache's configuration directory should be owned by the appropriate user. (1) user (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 Apache's demo CGI printenv.pl should be available or removed as appropriate (1) exist / not exist (1) (ServerRoot)\cgi-bin\printenv.pl (2) (ServerRoot)/cgi-bin/printenv.pl L1 18. Remove Default/Unneeded Apache Files p27 1.18 Remove Default Content p33 testcgi should be installed as appropriate. (1) exist/not exist (1) cgi-script directory L1 18. Remove Default/Unneeded Apache Files p27 1.18 Remove Default Content p33 The "FollowSymLinks" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) FollowSymLinks / -FollowSymLinks / +FollowSymLinks / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p23 1.8 Directory Functionality Control with the Options Directive p16 The "IncludesNOEXEC" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) IncludesNoExec / -IncludesNoExec / +IncludesNoExec / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p24 1.8 Directory Functionality Control with the Options Directive p16 The "Indexes" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) Indexes / -Indexes / +Indexes / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p24 1.8 Directory Functionality Control with the Options Directive p16 The Allow Directive for the OS root should be configured appropriately (1) all | hostname/IP address/environment variable (1) Allow directive L1 13. Access Control Directives p21 1.7 Restricting Access p14-15 The Allow directive for the specified Directory directive should be configured appropriately. (1) all | hostname/IP address/environment variable (1) Allow directive L1 13. Access Control Directives p21 1.7 Restricting Access p14-15 The Apache "KeepAlive" directive should be configured appropriately. (1) On / Off (1) Apache configuration file: KeepAlive directive L1 10. Denial of Service (DoS) Protective General Directives pg 16 1.13 Denial of Service Prevention Tuning p21 The Apache "KeepAliveTimeout" directive should be configured appropriately. (1) Number value (in seconds) (1) Apache configuration file: KeepAliveTimeout directive L1 10. Denial of Service (DoS) Protective General Directives pg 16 1.13 Denial of Service Prevention Tuning p21 The Apache "LimitRequestBody" directive should be configured appropriately. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestBody directive L2 7. Buffer Overflow Protections p42 1.14 Buffer Overflow Protection Tuning p23 The Apache "LimitRequestFields" directive should be configured appropriately (1) Number value (1) Apache configuration file: LimitRequestFields directive L2 7. Buffer Overflow Protections p42 1.14 Buffer Overflow Protection Tuning p24 The Apache "LimitRequestFieldSizeBody" directive should be configured appropriately. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestFieldSizeBody directive L2 7. Buffer Overflow Protections p42 1.14 Buffer Overflow Protection Tuning p24 The Apache "LimitRequestline" directive should be configured appropriatley. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestLine directive L2 7. Buffer Overflow Protections p42 1.14 Buffer Overflow Protection Tuning p24 The Apache "LogLevel" directive should be configured appropriately. (1) debug / info / notice / warn / error / crit / alert / emerg (1) Apache configuration file: LogLevel directive L1 17. Logging General Directives p26 1.17 Logging p31 The Apache "MaxClients" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MaxClients directive L1 10. Denial of Service (DoS) Protective General Directives pg 16 1.13 Denial of Service Prevention Tuning p22 The Apache "ServerTokens" directive should be configured appropriately. (1) Prod[uctOnly] / Major / Minor / Min[imal] / OS / Full (1) Apache configuration file: ServerTokens directive L1 11. Web Server Software Obfuscation General Directives p17 1.16 Software Information Leakage Protection p29 The Apache "Timeout" directive should be configured appropriately. (1) Number value (in seconds) (1) Apache configuration file: Timeout directive L1 10. Denial of Service (DoS) Protective General Directives pg 16 1.13 Denial of Service Prevention Tuning p21 The Apache access log file data should be configured to contain the appropriate data elements. (1) LogFormat Format String (1) Apache configuration file: LogFormat directive L1 17. Logging General Directives p26 1.17 Logging p30 The Apache AllowOverride Directive should be configured appropriately for operating system root directories. (1) AuthConfig / FileInfo / Indexes / Limit / Options / All / None (1) Apache configuration file: AllowOverride directive L1 15. Directory Functionality/Features Directives p24 1.8 Directory Functionality Control with the Options Directive p17 The Apache AllowOverride directive should be configured appropriately for web site root directories. (1) AuthConfig / FileInfo / Indexes / Limit / Options / All / None (1) Apache configuration file: AllowOverride directive L1 15. Directory Functionality/Features Directives p24 1.8 Directory Functionality Control with the Options Directive p17 The Apache ErrorDocument directive should be set correctly for HTTP 400 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 400' directive L1 11. Web Server Software Obfuscation General Directives p17 2.7 Additional Software Information Leakage Protection p50 The Apache Group directive should be set correctly. (1) group name (1) Apache configuration file: Group directive L1 8. User Oriented General Directives p14 1.6 Creating the Apache User and Group Accounts p14 The Apache runtime rewriting engine should be enabled or disabled as appropriate. (1) off/on (1) Apache configuration file: RewriteEngine directive L1 21. Deny HTTP TRACE Requests with Mod_Rewrite p33 1.11 Restrict HTTP Protocol Version p19 The Apache ServerSignature directive should be set appropriately. (1) On/Off/EMail (1) Apache configuration file: ServerSignature directive L1 11. Web Server Software Obfuscation General Directives p17 1.16 Software Information Leakage Protection p29 The Apache system logging should be configured appropriately. (1) File path | pipe (2) LogFormat | nickname (1) Apache configuration file: CustomLog directive L1 17. Logging General Directives p26 1.17 Logging p31 The Apache user account should be allowed root privileges as appropriate. (1) allowed/not allowed (1) via /etc/passwd L1 4. Create the Apache Web User Account p11 1.6 Creating the Apache User and Group Accounts p14 The Apache User directive should be set correctly. (1) user name (1) Apache configuration file: User directive L1 8. User Oriented General Directives p13 1.6 Creating the Apache User and Group Accounts p14 The ApacheErrorDocument directive should be set correctly for HTTP 401 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 401' directive L1 11. Web Server Software Obfuscation General Directives p17 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 403 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 403' directive L1 11. Web Server Software Obfuscation General Directives p17 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 404 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 404' directive L1 11. Web Server Software Obfuscation General Directives p17 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 405 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 405' directive L1 11. Web Server Software Obfuscation General Directives p17 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 500 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 500' directive L1 11. Web Server Software Obfuscation General Directives p17 2.7 Additional Software Information Leakage Protection p50 The Deny Directive for the OS root should be configured appropriately (1) all | hostname/IP address/environment variable (1) Deny directive L1 13. Access Control Directives p21 1.7 Restricting Access p14-15 The Deny directive for the specified Directory directive should be configured appropriately. (1) all | hostname/IP address/environment variable (1) Deny directive L1 13. Access Control Directives p21 1.7 Restricting Access p14-15 The group membership of any Apache files in /var/log/httpd/ should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /etc/httpd/conf.d file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /etc/httpd/conf/passwd file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /usr/sbin/apachectl file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /usr/sbin/httpd file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /var/www/html file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The group membership of the Apache user account should be set correctly. (1) group (1) via /etc/group L1 4. Create the Apache Web User Account p11 1.6 Creating the Apache User and Group Accounts p14 The ownership of log files in Apache /var/log/httpd/ should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /etc/httpd/conf.d file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /etc/httpd/conf/passwd file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /usr/sbin/apachectl file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /usr/sbin/httpd file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /var/www/html file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The path for Apache sites error log files should be configured appropriately. (1) File path (1) Apache configuration file: ErrorLog directive L2 4. ErrorLog - Syslog p70-71 2.5 Syslog Logging p44-45 The permissions for the Apache /etc/httpd/conf.d file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The permissions for the Apache /etc/httpd/conf/passwd file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The permissions for the Apache /usr/sbin/apachectl file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The permissions for the Apache /usr/sbin/httpd file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The permissions for the Apache/var/www/html file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The permissions of any Apache files in /var/log/httpd/ should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The Unix permissions of Apache's configuration directory should be configred appropriately (1) permissions (1) via chmod L1 19. Updating Ownership and Permissions for Enhanced Security p27 1.19 Updating Ownership and Permissions p34 The"Includes" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) Includes / -Includes / +Includes / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p24 1.8 Directory Functionality Control with the Options Directive p16 The"MultiViews" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) MultiViews / -MultiViews / +MultiViews / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p24-25 1.8 Directory Functionality Control with the Options Directive p17 The Order directive for the OS root should be configured appropriately. (1) Allow,Deny / Deny,Allow / Mutual-failure (1) Order directive L1 13. Access Control Directives p21 Permitted HTTP request methods should be configured appropriately. (1) methods (2) access control directives (1) Apache configuration file: LimitExecpt directive L1 16. Limiting HTTP Request Methods p25 Access to Apache's httpd.conf file should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by (ServerRoot)\conf\httpd.conf's DACL L1 19. Updating Ownership and Permissions for Enhanced Security p27 The Windows permissions for all files specified by CustomLog directives should be configured appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL L1 19. Updating Ownership and Permissions for Enhanced Security p27 The Windows permissions for all files specified by ErrorLog directives should be configured appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL L1 19. Updating Ownership and Permissions for Enhanced Security p27 The location of the Apache htpasswd file should be set correctly. (1) directory path (1) Directory of htpasswd file L1 14. Authentication Mechanisms p22 The Apache Server Administrator email address should be set correctly. (1) email address (1) 'ServerAdmin' line in Apache configuration file L1 8. User Oriented General Directives p14 The Apache user account should be locked or unlocked as appropriate. (1) locked/unlocked (1) via /etc/passwd L1 5. Lock Down the Apache Web User Account p11 File permissions for httpd.conf should be set correctly. (1) permissions (1) via chmod 1.19 Updating Ownership and Permissions p34 The httpd.conf file should be owned by the appropriate user. (1) user (1) via chown 1.19 Updating Ownership and Permissions p34 The httpd.conf file should be owned by the appropriate group. (1) group (1) via chown 1.19 Updating Ownership and Permissions p34 The Unix permissions of Apache's htpasswd file should be configured appropriately. (1) permissions (1) via chmod 1.19 Updating Ownership and Permissions p34 The htpasswd should be owned by the appropriate user. (1) user (1) via chown 1.19 Updating Ownership and Permissions p34 The htpasswd file should be owned by the appropriate group. (1) group (1) via chown 1.19 Updating Ownership and Permissions p34 The Apache "StartServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: StartServers directive 1.13 Denial of Service Prevention Tuning p22 The Apache "MinSpareServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MinSpareServers directive 1.13 Denial of Service Prevention Tuning p22 The Apache "MaxSpareServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MaxSpareServers directive 1.13 Denial of Service Prevention Tuning p22 The "ExecCGI" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) ExecCGI / -ExecCGI/ +ExecCGI / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) 1.8 Directory Functionality Control with the Options Directive p16 The Order directive for all DocumentRoot directives should be configured appropriately. (1) Allow,Deny / Deny,Allow / Mutual-failure (1) Apache configuration file: Order directive (in DocumentRoot Directory directive) 1.7 Restricting Access p15 The Order directive for the specified Directory directive should be configured appropriately. (1) Allow,Deny / Deny,Allow / Mutual-failure (1) TARGET: Directory directive (2) Apache configuration file: Order directive 1.7 Restricting Access p15 The Apache Action directive shoud be configured appropriately. (1) action-type (2) cgi-script (1) Apache configuration file: Action directive Rule Title: MIME types for csh or sh shell programs must be disabled. STIG ID: WG370 A22 Rule ID: SV-36309r1_rule Vuln ID: V-2225 Severity: CAT II Class: Unclass The Apache AddHandler directive should be configured appropriately. (1) handler-name (2) extension (1) Apache configuration file: AddHandler directive Rule Title: MIME types for csh or sh shell programs must be disabled. STIG ID: WG370 A22 Rule ID: SV-36309r1_rule Vuln ID: V-2225 Severity: CAT II Class: Unclass Anonymous sharing of Apache's web content directories with nfs should be configured appropriately. (1) Set of shares (1) via /etc/exports Rule Title: Web content directories must not be anonymously shared. STIG ID: WG210 A22 Rule ID: SV-33022r1_rule Vuln ID: V-2226 Severity: CAT II Class: Unclass Anonymous sharing of Apache's web content directories with smb should be configured appropriately. (1) Set of shares (1) via /etc/samba/smb.conf Rule Title: Web content directories must not be anonymously shared. STIG ID: WG210 A22 Rule ID: SV-33022r1_rule Vuln ID: V-2226 Severity: CAT II Class: Unclass The Apache AllowOverride directive should be configured appropriately for web site root directories. (1) AuthConfig / FileInfo / Indexes / Limit / Options / All / None (1) Apache configuration file: AllowOverride directive L1 15. Directory Functionality/Features Directives p24 Rule Title: All interactive programs must be placed in a designated directory with appropriate permissions. STIG ID: WG400 A22 Rule ID: SV-6928r4_rule Vuln ID: V-2228 Severity: CAT II Class: Unclass Rule Title: All interactive programs must be placed in a designated directory with appropriate permissions. STIG ID: WG400 W22 Rule ID: SV-36644r1_rule Vuln ID: V-2228 Severity: CAT II Class: Unclass The Apachce "MaxKeepAliveRequests" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MaxKeepAliveRequests directive Rule Title: The number of allowed simultaneous requests must be set. STIG ID: WG110 A22 Rule ID: SV-33018r1_rule Vuln ID: V-2240 Severity: CAT II Class: Unclass Rule Title: The number of allowed simultaneous requests must be set. STIG ID: WG110 W22 Rule ID: SV-33105r1_rule Vuln ID: V-2240 Severity: CAT II Class: Unclass All readable Apache web document directories should have their default webpage configured appropriately. (1) exist / not exist (1) Directories (from Apache configuration file: DocumentRoot directive) Rule Title: Each readable web document directory must contain either a default, home, index, or equivalent file. STIG ID: WG170 A22 Rule ID: SV-33020r1_rule Vuln ID: V-2245 Severity: CAT III Class: Unclass Rule Title: Each readable web document directory must contain either a default, home, index, or equivalent file. STIG ID: WG170 W22 Rule ID: SV-33107r1_rule Vuln ID: V-2245 Severity: CAT III Class: Unclass File permissions for httpd.conf should be set correctly. (1) permissions (1) via chmod Rule Title: Web administration tools must be restricted to the web manager and the web manager’s designees. STIG ID: WG220 A22 Rule ID: SV-32948r1_rule Vuln ID: V-2248 Severity: CAT II Class: Unclass The httpd.conf file should be owned by the appropriate user. (1) user (1) via chown Rule Title: Web administration tools must be restricted to the web manager and the web manager’s designees. STIG ID: WG220 A22 Rule ID: SV-32948r1_rule Vuln ID: V-2248 Severity: CAT II Class: Unclass The httpd.conf file should be owned by the appropriate group. (1) group (1) via chown Rule Title: Web administration tools must be restricted to the web manager and the web manager’s designees. STIG ID: WG220 A22 Rule ID: SV-32948r1_rule Vuln ID: V-2248 Severity: CAT II Class: Unclass Apache's log_config_module should be enabled or disabled as appropriate. (1) log_config_module (1) Apache configuration file: LoadModule directive Rule Title: Logs of web server access and errors must be established and maintained. STIG ID: WG240 A22 Rule ID: SV-33025r1_rule Vuln ID: V-2250 Severity: CAT II Class: Unclass Rule Title: Logs of web server access and errors must be established and maintained. STIG ID: WG240 W20 Rule ID: SV-36668r1_rule Vuln ID: V-2250 Severity: CAT II Class: Unclass The file permissions for all files specified by CustomLog directives should be configured appropriately (1) permissions (1) via chmod Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass All files specified by CustomLog directives should be owned by the appropriate user (1) user (1) via chown Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass All files specified by CustomLog directives should be owned by the appropriate group (1) group (1) via chown Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass The Unix permissions for all files specified by ErrorLog directives should be configured appropriately (1) permissions (1) via chmod Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass All files specified by ErrorLog directives should be owned by the appropriate user (1) user (1) via chown Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass All files specified by ErrorLog directives should be owned by the appropriate group (1) group (1) via chown Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass The Unix permissions of Apache's htpasswd file should be configured appropriately. (1) permissions (1) via chmod Rule Title: The web server’s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 A22 Rule ID: SV-36478r1_rule Vuln ID: V-2255 Severity: CAT II Class: Unclass The htpasswd should be owned by the appropriate user. (1) user (1) via chown Rule Title: The web server’s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 A22 Rule ID: SV-36478r1_rule Vuln ID: V-2255 Severity: CAT II Class: Unclass The htpasswd file should be owned by the appropriate group. (1) group (1) via chown Rule Title: The web server’s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 A22 Rule ID: SV-36478r1_rule Vuln ID: V-2255 Severity: CAT II Class: Unclass The Unix permissions for all directories specified by ScriptAlias directives should be configured appropriately. (1) permissions (1) via chmod Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by ScriptAlias directives should be owned by the appropriate user. (1) user (1) via chown Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by ScriptAlias directives should be owned by the appropriate group. (1) group (1) via chown Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Unix permissions for all directories specified by ScriptAliasMatch directives should be configured appropriately. (1) permissions (1) via chmod Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by ScriptAliasMatch directives should be owned by the appropriate user. (1) user (1) via chown Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by ScriptAliasMatch directives should be owned by the appropriate group. (1) group (1) via chown Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Unix permissions for all directories specified by DocumentRoot directives should be configured appropriately. (1) permissions (1) via chmod Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by DocumentRoot directives should be owned by the appropriate user. (1) user (1) via chown Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by DocumentRoot directives should be owned by the appropriate group. (1) group (1) via chown Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Unix permissions for all directories specified by Alias directives should be configured appropriately. (1) permissions (1) via chmod Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by Alias directives should be owned by the appropriate user. (1) user (1) via chown Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by Alias directives should be owned by the appropriate group. (1) group (1) via chown Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Unix permissions for all directories specified by ServerRoot directives should be configred appropriately (1) permissions (1) via chmod Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass All directories specified by ServerRoot directives should be owned by the appropriate user. (1) user (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass All directories specified by ServerRoot directives should be owned by the appropriate group. (1) group (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's configuration directory should be configred appropriately (1) permissions (1) via chmod L1 19. Updating Ownership and Permissions for Enhanced Security p27 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's configuration directory should be owned by the appropriate user. (1) user (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's configuration directory should be owned by the appropriate group. (1) group (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's /bin directory should be configred appropriately (1) permissions (1) via chmod Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /bin directory should be owned by the appropriate user. (1) user (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /bin directory should be owned by the appropriate group. (1) group (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's /logs directory should be configred appropriately (1) permissions (1) via chmod Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /logs directory should be owned by the appropriate user. (1) user (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /logs directory should be owned by the appropriate group. (1) group (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's /htdocs directory should be configred appropriately (1) permissions (1) via chmod Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /htdocs directory should be owned by the appropriate user. (1) user (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /htdocs directory should be owned by the appropriate group. (1) group (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's /cgi-bin directory should be configred appropriately (1) permissions (1) via chmod Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /cgi-bin directory should be owned by the appropriate user. (1) user (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /cgi-bin directory should be owned by the appropriate group. (1) group (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Apache site's robots.txt should be configured to disallow paths and files as appropriate. (1) User-Agent (2) Disallowed path(s)|file(s) (1) robots.txt Rule Title: A private web server must not respond to requests from public search engines. STIG ID: WG310 A22 Rule ID: SV-33028r1_rule Vuln ID: V-2260 Severity: CAT II Class: Unclass Rule Title: A private web server must not respond to requests from public search engines. STIG ID: WG310 W22 Rule ID: SV-28798r2_rule Vuln ID: V-2260 Severity: CAT II Class: Unclass Apache's ssl_module should be enabled or disabled as appropriate. (1) ssl_module (1) Apache configuration file: LoadModule directive Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 A22 Rule ID: SV-33029r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 W20 Rule ID: SV-36740r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass The Apache SSLProtocol directive should be configured appropriately. (1) SSLv2 / SSLv3 / TLSv1 / All (1) Apache configuration file: SSLProtocol directive Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 A22 Rule ID: SV-33029r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 W20 Rule ID: SV-36740r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass The Apache SSLEngine directive should be configured appropriately. (1) On / Off (1) Apache configuration file: SSLEngine directive Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 A22 Rule ID: SV-33029r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 W20 Rule ID: SV-36740r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass The Apache "ServerTokens" directive should be configured appropriately. (1) Prod[uctOnly] / Major / Minor / Min[imal] / OS / Full (1) Apache configuration file: ServerTokens directive L1 11. Web Server Software Obfuscation General Directives p17 Rule Title: Web server and/or operating system information must be protected. STIG ID: WG520 A22 Rule ID: SV-36672r1_rule Vuln ID: V-6724 Severity: CAT III Class: Unclass Rule Title: Web server and/or operating system information must be protected. STIG ID: WG520 W22 Rule ID: SV-33098r1_rule Vuln ID: V-6724 Severity: CAT III Class: Unclass All Apache's online manual should be available or removed as appropriate. (1) exist / not exist (1) manual in the Server Root directory Rule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 A22 Rule ID: SV-32933r1_rule Vuln ID: V-13621 Severity: CAT I Class: Unclass Rule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 W22 Rule ID: SV-33087r1_rule Vuln ID: V-13621 Severity: CAT I Class: Unclass Apache's demo CGI printenv.pl should be available or removed as appropriate (1) exist / not exist (1) (ServerRoot)\cgi-bin\printenv.pl (2) (ServerRoot)/cgi-bin/printenv.pl L1 18. Remove Default/Unneeded Apache Files p27 Rule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 A22 Rule ID: SV-32933r1_rule Vuln ID: V-13621 Severity: CAT I Class: Unclass Rule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 W22 Rule ID: SV-33087r1_rule Vuln ID: V-13621 Severity: CAT I Class: Unclass The Apache access log file data should be configured to contain the appropriate data elements. (1) LogFormat Format String (1) Apache configuration file: LogFormat directive L1 17. Logging General Directives p26 Rule Title: Log file data must contain required data elements. STIG ID: WG242 A22 Rule ID: SV-36642r1_rule Vuln ID: V-13688 Severity: CAT II Class: Unclass Rule Title: Log file data must contain required data elements. STIG ID: WG242 W22 Rule ID: SV-28654r2_rule Vuln ID: V-13688 Severity: CAT II Class: Unclass The Apache "Timeout" directive should be configured appropriately. (1) Number value (in seconds) (1) Apache configuration file: Timeout directive L1 10. Denial of Service (DoS) Protective General Directives pg 16 Rule Title: The Timeout directive must be properly set. STIG ID: WA000-WWA020 A22 Rule ID: SV-32977r1_rule Vuln ID: V-13724 Severity: CAT II Class: Unclass Rule Title: The Timeout directive must be properly set. STIG ID: WA000-WWA020 W22 Rule ID: SV-32980r1_rule Vuln ID: V-13724 Severity: CAT II Class: Unclass The Apache "KeepAlive" directive should be configured appropriately. (1) On / Off (1) Apache configuration file: KeepAlive directive L1 10. Denial of Service (DoS) Protective General Directives pg 16 Rule Title: The KeepAlive directive must be enabled. STIG ID: WA000-WWA022 A22 Rule ID: SV-32844r1_rule Vuln ID: V-13725 Severity: CAT II Class: Unclass Rule Title: The KeepAlive directive must be enabled. STIG ID: WA000-WWA022 W22 Rule ID: SV-32987r1_rule Vuln ID: V-13725 Severity: CAT II Class: Unclass The Apache "KeepAliveTimeout" directive should be configured appropriately. (1) Number value (in seconds) (1) Apache configuration file: KeepAliveTimeout directive L1 10. Denial of Service (DoS) Protective General Directives pg 16 Rule Title: The KeepAliveTimeout directive must be defined. STIG ID: WA000-WWA024 A22 Rule ID: SV-32877r1_rule Vuln ID: V-13726 Severity: CAT II Class: Unclass Rule Title: The KeepAliveTimeout directive must be defined. STIG ID: WA000-WWA024 W22 Rule ID: SV-32880r1_rule Vuln ID: V-13726 Severity: CAT II Class: Unclass The Apache "StartServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: StartServers directive Rule Title: The httpd.conf StartServers directive must be set properly. STIG ID: WA000-WWA026 A22 Rule ID: SV-36645r1_rule Vuln ID: V-13727 Severity: CAT II Class: Unclass The Apache "MinSpareServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MinSpareServers directive Rule Title: The httpd.conf MinSpareServers directive must be set properly. STIG ID: WA000-WWA028 A22 Rule ID: SV-36646r1_rule Vuln ID: V-13728 Severity: CAT II Class: Unclass The Apache "MaxSpareServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MaxSpareServers directive Rule Title: The httpd.conf MaxSpareServers directive must be set properly. STIG ID: WA000-WWA030 A22 Rule ID: SV-36648r1_rule Vuln ID: V-13729 Severity: CAT III Class: Unclass The Apache "MaxClients" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MaxClients directive L1 10. Denial of Service (DoS) Protective General Directives pg 16 Rule Title: The httpd.conf MaxClients directive must be set properly. STIG ID: WA000-WWA032 A22 Rule ID: SV-36649r1_rule Vuln ID: V-13730 Severity: CAT II Class: Unclass The Apache "FollowSymLinks" setting for all "Options" directives should be configured appropriately. (1) FollowSymLinks / -FollowSymLinks / +FollowSymLinks / None (1) Apache configuration file: Options directive Rule Title: The FollowSymLinks setting must be disabled. STIG ID: WA000-WWA052 A22 Rule ID: SV-40129r1_rule Vuln ID: V-13732 Severity: CAT II Class: Unclass The Apache "Includes" setting for all "Options" directives should be configured appropriately. (1) Includes / -Includes / +Includes / None (1) Apache configuration file: Options directive Rule Title: Server side includes (SSIs) must run with execution capability disabled. STIG ID: WA000-WWA054 A22 Rule ID: SV-32753r1_rule Vuln ID: V-13733 Severity: CAT I Class: Unclass The Apache "IncludesNoExec" setting for all "Options" directives should be configured appropriately. (1) IncludesNoExec / -IncludesNoExec / +IncludesNoExec / None (1) Apache configuration file: Options directive Rule Title: Server side includes (SSIs) must run with execution capability disabled. STIG ID: WA000-WWA054 A22 Rule ID: SV-32753r1_rule Vuln ID: V-13733 Severity: CAT I Class: Unclass The Apache "MultiViews" setting for all "Options" directives should be configured appropriately. (1) MultiViews / -MultiViews / +MultiViews / None (1) Apache configuration file: Options directive Rule Title: The MultiViews directive must be disabled. STIG ID: WA000-WWA056 A22 Rule ID: SV-32754r1_rule Vuln ID: V-13734 Severity: CAT II Class: Unclass The Apache "Indexes" setting for all "Options" directives should be configured appropriately. (1) Indexes / -Indexes / +Indexes / None (1) Apache configuration file: Options directive Rule Title: Directory indexing must be disabled on directories not containing index files. STIG ID: WA000-WWA058 A22 Rule ID: SV-32755r1_rule Vuln ID: V-13735 Severity: CAT II Class: Unclass The Apache "LimitRequestBody" directive should be configured appropriately. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestBody directive L2 7. Buffer Overflow Protections p42 Rule Title: The HTTP request message body size must be limited. STIG ID: WA000-WWA060 A22 Rule ID: SV-32756r1_rule Vuln ID: V-13736 Severity: CAT II Class: Unclass+G66 Rule Title: The HTTP request message body size must be limited. STIG ID: WA000-WWA060 W22 Rule ID: SV-33008r1_rule Vuln ID: V-13736 Severity: CAT II Class: Unclass The Apache "LimitRequestFields" directive should be configured appropriately (1) Number value (1) Apache configuration file: LimitRequestFields directive L2 7. Buffer Overflow Protections p42 Rule Title: The HTTP request header fields must be limited. STIG ID: WA000-WWA062 A22 Rule ID: SV-32757r1_rule Vuln ID: V-13737 Severity: CAT II Class: Unclass Rule Title: The HTTP request header fields must be limited. STIG ID: WA000-WWA062 W22 Rule ID: SV-33009r1_rule Vuln ID: V-13737 Severity: CAT II Class: Unclass The Apache "LimitRequestFieldSizeBody" directive should be configured appropriately. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestFieldSizeBody directive L2 7. Buffer Overflow Protections p42 Rule Title: The HTTP request header field size must be limited. STIG ID: WA000-WWA064 A22 Rule ID: SV-32766r1_rule Vuln ID: V-13738 Severity: CAT II Class: Unclass Rule Title: The HTTP request header field size must be limited. STIG ID: WA000-WWA064 W22 Rule ID: SV-33010r1_rule Vuln ID: V-13738 Severity: CAT II Class: Unclass The Apache "LimitRequestline" directive should be configured appropriatley. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestLine directive L2 7. Buffer Overflow Protections p42 Rule Title: The HTTP request line must be limited. STIG ID: WA000-WWA066 A22 Rule ID: SV-32768r1_rule Vuln ID: V-13739 Severity: CAT II Class: Unclass Rule Title: The HTTP request line must be limited. STIG ID: WA000-WWA066 W22 Rule ID: SV-33011r1_rule Vuln ID: V-13739 Severity: CAT II Class: Unclass The path for Apache sites error log files should be configured appropriately. (1) File path (1) Apache configuration file: ErrorLog directive L2 4. ErrorLog - Syslog p70-71 Rule Title: Error logging must be enabled. STIG ID: WA00605 A22 Rule ID: SV-33192r1_rule Vuln ID: V-26279 Severity: CAT II Class: Unclass Rule Title: Error logging must be enabled. STIG ID: WA00605 W22 Rule ID: SV-33147r1_rule Vuln ID: V-26279 Severity: CAT II Class: Unclass The Apache system logging should be configured appropriately. (1) File path | pipe (2) LogFormat | nickname (1) Apache configuration file: CustomLog directive L1 17. Logging General Directives p26 Rule Title: System logging must be enabled. STIG ID: WA00615 A22 Rule ID: SV-33206r1_rule Vuln ID: V-26281 Severity: CAT II Class: Unclass Rule Title: System logging must be enabled. STIG ID: WA00615 W22 Rule ID: SV-33151r1_rule Vuln ID: V-26281 Severity: CAT II Class: Unclass The Apache "LogLevel" directive should be configured appropriately. (1) debug / info / notice / warn / error / crit / alert / emerg (1) Apache configuration file: LogLevel directive L1 17. Logging General Directives p26 Rule Title: The LogLevel directive must be enabled. STIG ID: WA00620 A22 Rule ID: SV-33207r1_rule Vuln ID: V-26282 Severity: CAT II Class: Unclass Rule Title: The LogLevel directive must be enabled. STIG ID: WA00620 W22 Rule ID: SV-33153r1_rule Vuln ID: V-26282 Severity: CAT II Class: Unclass Web Distributed Authoring and Versioning (WebDav) dav_module should be enabled or disabled as appropriate. (1) dav_module (1) Apache configuration file: LoadModule directive Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 A22 Rule ID: SV-33216r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 W20 Rule ID: SV-36611r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Web Distributed Authoring and Versioning (WebDav) dav_fs_module should be enabled or disabled as appropriate. (1) dav_fs_module (1) Apache configuration file: LoadModule directive Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 A22 Rule ID: SV-33216r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 W20 Rule ID: SV-36611r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Apache's info_module should be enabled or disabled as appropriate. (1) info_module (1) Apache configuration file: LoadModule directive Rule Title: Web server status module will be disabled. STIG ID: WA00510 A22 Rule ID: SV-33218r1_rule Vuln ID: V-26294 Severity: CAT II Class: Unclass Rule Title: Web server status module will be disabled. STIG ID: WA00510 W20 Rule ID: SV-36612r1_rule Vuln ID: V-26294 Severity: CAT II Class: Unclass Apache's status_module should be enabled or disabled as appropriate. (1) status_module (1) Apache configuration file: LoadModule directive Rule Title: Web server status module will be disabled. STIG ID: WA00510 A22 Rule ID: SV-33218r1_rule Vuln ID: V-26294 Severity: CAT II Class: Unclass Rule Title: Web server status module will be disabled. STIG ID: WA00510 W20 Rule ID: SV-36612r1_rule Vuln ID: V-26294 Severity: CAT II Class: Unclass Apache's proxy_module should be enabled or disabled as appropriate. (1) proxy_module (1) Apache configuration file: LoadModule directive Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W20 Rule ID: SV-36613r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Apache's proxy_ftp_module should be enabled or disabled as appropriate. (1) proxy_ftp_module (1) Apache configuration file: LoadModule directive Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W20 Rule ID: SV-36613r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Apache's proxy_http_module should be enabled or disabled as appropriate. (1) proxy_http_module (1) Apache configuration file: LoadModule directive Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W20 Rule ID: SV-36613r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Apache's proxy_connect_module should be enabled or disabled as appropriate. (1) proxy_connect_module (1) Apache configuration file: LoadModule directive Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W20 Rule ID: SV-36613r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass User-specific directories should be enabled or disabled as appropriate. (1) userdir_module (1) Apache configuration file: LoadModule directive Rule Title: User specific directories must not be globally enabled. STIG ID: WA00525 A22 Rule ID: SV-33221r1_rule Vuln ID: V-26302 Severity: CAT II Class: Unclass Rule Title: User specific directories must not be globally enabled. STIG ID: WA00525 W20 Rule ID: SV-36614r1_rule Vuln ID: V-26302 Severity: CAT II Class: Unclass Apache's process ID (PID) file's Unix permissions should be configured appropriately. (1) permissions (1) via chmod Rule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 A22 Rule ID: SV-33222r1_rule Vuln ID: V-26305 Severity: CAT II Class: Unclass Apache's process ID (PID) file should be owned by the appropriate user. (1) user (1) via chown Rule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 A22 Rule ID: SV-33222r1_rule Vuln ID: V-26305 Severity: CAT II Class: Unclass Apache's process ID (PID) file should be owned by the appropriate group. (1) group (1) via chown Rule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 A22 Rule ID: SV-33222r1_rule Vuln ID: V-26305 Severity: CAT II Class: Unclass Apache's Scoreboard file's Unix permissions should be configured appropriately. (1) permissions (1) via chmod Rule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 A22 Rule ID: SV-33223r1_rule Vuln ID: V-26322 Severity: CAT II Class: Unclass Apache's scoreboard file should be owned by the appropriate user. (1) user (1) via chown Rule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 A22 Rule ID: SV-33223r1_rule Vuln ID: V-26322 Severity: CAT II Class: Unclass Apache's scoreboard (PID) file should be owned by the appropriate group. (1) group (1) via chown Rule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 A22 Rule ID: SV-33223r1_rule Vuln ID: V-26322 Severity: CAT II Class: Unclass The Order directive for the OS root should be configured appropriately. (1) Allow,Deny / Deny,Allow / Mutual-failure (1) Order directive L1 13. Access Control Directives p21 Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 A22 Rule ID: SV-33226r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 W22 Rule ID: SV-33180r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass The Allow Directive for the OS root should be configured appropriately (1) all | hostname/IP address/environment variable (1) Allow directive L1 13. Access Control Directives p21 Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 A22 Rule ID: SV-33226r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 W22 Rule ID: SV-33180r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass The Deny Directive for the OS root should be configured appropriately (1) all | hostname/IP address/environment variable (1) Deny directive L1 13. Access Control Directives p21 Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 A22 Rule ID: SV-33226r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 W22 Rule ID: SV-33180r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass The Apache "ExecCGI" setting for all "Options" directives for the OS root should be configured appropriately. (1) ExecCGI / -ExecCGI/ +ExecCGI / None (1) Apache configuration file: Options directive (in OS root Directory directive) Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "FollowSymLinks" setting for all "Options" directives for the OS root should be configured appropriately. (1) FollowSymLinks / -FollowSymLinks / +FollowSymLinks / None (1) Apache configuration file: Options directive (in OS root Directory directive) Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "Includes" setting for all "Options" directives for the OS root should be configured appropriately. (1) Includes / -Includes / +Includes / None (1) Apache configuration file: Options directive (in OS root Directory directive) Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "IncludesNoExec" setting for all "Options" directives for the OS root should be configured appropriately. (1) IncludesNoExec / -IncludesNoExec / +IncludesNoExec / None (1) Apache configuration file: Options directive (in OS root Directory directive) Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "Indexes" setting for all "Options" directives for the OS root should be configured appropriately. (1) Indexes / -Indexes / +Indexes / None (1) Apache configuration file: Options directive (in OS root Directory directive) Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "MultiViews" setting for all "Options" directives for the OS root should be configured appropriately. (1) MultiViews / -MultiViews / +MultiViews / None (1) Apache configuration file: Options directive (in OS root Directory directive) Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "SymLinksIfOwnerMatch" setting for all "Options" directives for the OS root should be configured appropriately. (1) SymLinksIfOwnerMatch / -SymLinksIfOwnerMatch / +SymLinksIfOwnerMatch / None (1) Apache configuration file: Options directive (in OS root Directory directive) Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "TraceEnable" directive should be configured appropriatley. (1) on / off / extended (1) Apache configuration file: TraceEnable directive Rule Title: The TRACE method must be disabled. STIG ID: WA00550 A22 Rule ID: SV-33227r1_rule Vuln ID: V-26325 Severity: CAT II Class: Unclass Rule Title: The TRACE method must be disabled. STIG ID: WA00550 W22 Rule ID: SV-33183r1_rule Vuln ID: V-26325 Severity: CAT II Class: Unclass Apache's listening IP address should be configured appropriately. (1) IP-address (1) Apache configuration file: Listen directive Rule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 A22 Rule ID: SV-33228r1_rule Vuln ID: V-26326 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 W22 Rule ID: SV-33184r1_rule Vuln ID: V-26326 Severity: CAT II Class: Unclass Apache's listening port should be configured appropriately. (1) port number (1) Apache configuration file: Listen directive Rule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 A22 Rule ID: SV-33228r1_rule Vuln ID: V-26326 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 W22 Rule ID: SV-33184r1_rule Vuln ID: V-26326 Severity: CAT II Class: Unclass The ScriptAlias for the specified directory should be configured appropriately. (1) url-path (2) TARGET: directory path (1) Apache configuration file: ScriptAlias directive Rule Title: The URL-path name must be set to the file path name or the directory path name. STIG ID: WA00560 A22 Rule ID: SV-33229r1_rule Vuln ID: V-26327 Severity: CAT II Class: Unclass Rule Title: The URL-path name must be set to the file path name or the directory path name. STIG ID: WA00560 W22 Rule ID: SV-33185r1_rule Vuln ID: V-26327 Severity: CAT II Class: Unclass Automatic directory indexing should be enabled or disabled as appropriate. (1) autoindex_module (1) Apache configuration file: LoadModule directive Rule Title: Automatic directory indexing must be disabled. STIG ID: WA00515 A22 Rule ID: SV-33219r1_rule Vuln ID: V-26368 Severity: CAT II Class: Unclass Rule Title: Automatic directory indexing must be disabled. STIG ID: WA00515 W20 Rule ID: SV-36620r1_rule Vuln ID: V-26368 Severity: CAT II Class: Unclass The Apache AllowOverride Directive should be configured appropriately for operating system root directories. (1) AuthConfig / FileInfo / Indexes / Limit / Options / All / None (1) Apache configuration file: AllowOverride directive L1 15. Directory Functionality/Features Directives p24 Rule Title: The ability to override the access configuration for the OS root directory must be disabled. STIG ID: WA00547 A22 Rule ID: SV-33232r1_rule Vuln ID: V-26393 Severity: CAT II Class: Unclass Rule Title: The ability to override the access configuration for the OS root directory must be disabled. STIG ID: WA00547 W22 Rule ID: SV-33237r1_rule Vuln ID: V-26393 Severity: CAT II Class: Unclass Permitted HTTP request methods should be configured appropriately. (1) methods (2) access control directives (1) Apache configuration file: LimitExecpt directive L1 16. Limiting HTTP Request Methods p25 Rule Title: HTTP request methods must be limited. STIG ID: WA00565 A22 Rule ID: SV-33236r1_rule Vuln ID: V-26396 Severity: CAT II Class: Unclass Rule Title: HTTP request methods must be limited. STIG ID: WA00565 W22 Rule ID: SV-33238r1_rule Vuln ID: V-26396 Severity: CAT II Class: Unclass Anonymous sharing of Apache's web content directories should be configured appropriately. (1) Set of shares (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy Rule Title: Web content directories must not be anonymously shared. STIG ID: WG210 W22 Rule ID: SV-33109r1_rule Vuln ID: V-2226 Severity: CAT II Class: Unclass The maximum password age setting for Apache's service account should be configured appropriately. (1) number of days (1) defined by Local or Group Policy Rule Title: The service account used to run the web service must have its password changed at least annually. STIG ID: WG060 W22 Rule ID: SV-36489r1_rule Vuln ID: V-2235 Severity: CAT II Class: Unclass Access to Apache's httpd.conf file should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by (ServerRoot)\conf\httpd.conf's DACL L1 19. Updating Ownership and Permissions for Enhanced Security p27 Rule Title: Web administration tools must be restricted to the web manager and the web manager’s designees. STIG ID: WG220 W22 Rule ID: SV-33072r1_rule Vuln ID: V-2248 Severity: CAT II Class: Unclass The Windows permissions for all files specified by CustomLog directives should be configured appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL L1 19. Updating Ownership and Permissions for Enhanced Security p27 Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 W22 Rule ID: SV-33135r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass The Windows permissions for all files specified by ErrorLog directives should be configured appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL L1 19. Updating Ownership and Permissions for Enhanced Security p27 Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 W22 Rule ID: SV-33135r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass The Windows permissions of Apache's htpasswd.exe file(s) should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web server’s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 W22 Rule ID: SV-36561r1_rule Vuln ID: V-2255 Severity: CAT II Class: Unclass The Windows permissions for all directories specified by ScriptAlias directives should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Windows permissions for all directories specified by ScriptAliasMatch directives should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Windows permissions for all directories specified by DocumentRoot directives should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Windows permissions for all directories specified by Alias directives should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Windows permissions for all directories specified by ServerRoot directives should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Windows permissions of Apache's /config directory should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Windows permissions of Apache's /bin directory should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Windows permissions of Apache's /logs directory should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Windows permissions of Apache's /htdocs directory should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The requried permssions for the file %SystemRoot%\System32\wscript.exe should be assigned. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the %SystemRoot%\System32\wscript.exe DACL Rule Title: Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. STIG ID: WG470 W22 Rule ID: SV-33095r1_rule Vuln ID: V-2264 Severity: CAT II Class: Unclass The required permissions for the file %SystemRoot%\System32\cscript.exe should be assigned (1) set of accounts (2) list of permissions (3) applicability (1) defined by the %SystemRoot%\System32\cscript.exe DACL Rule Title: Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. STIG ID: WG470 W22 Rule ID: SV-33095r1_rule Vuln ID: V-2264 Severity: CAT II Class: Unclass The Apache web server be run with the appropriate privileges. (1) Account type: ( privileged / non privileged ) (1) My Computer / Manage / Configuration / Local Users and Groups / <account name> Rule Title: The web server, although started by superuser or privileged account, must run using a non-privileged account. STIG ID: WG275 W22 Rule ID: SV-36607r1_rule Vuln ID: V-13619 Severity: CAT II Class: Unclass Apache's process ID (PID) file's Windows permissions should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 W22 Rule ID: SV-33177r1_rule Vuln ID: V-26305 Severity: CAT II Class: Unclass Apache's Scoreboard file's Windows permissions should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 W22 Rule ID: SV-33178r1_rule Vuln ID: V-26322 Severity: CAT II Class: Unclass The location of the Apache htpasswd file should be set correctly. (1) directory path (1) Directory of htpasswd file L1 14. Authentication Mechanisms p22 The Apache User directive should be set correctly. (1) user name (1) Apache configuration file: User directive L1 8. User Oriented General Directives p13 The Apache Group directive should be set correctly. (1) group name (1) Apache configuration file: Group directive L1 8. User Oriented General Directives p14 The Apache Server Administrator email address should be set correctly. (1) email address (1) 'ServerAdmin' line in Apache configuration file L1 8. User Oriented General Directives p14 The Apache ServerSignature directive should be set appropriately. (1) On/Off/EMail (1) Apache configuration file: ServerSignature directive L1 11. Web Server Software Obfuscation General Directives p17 The Apache runtime rewriting engine should be enabled or disabled as appropriate. (1) off/on (1) Apache configuration file: RewriteEngine directive L1 21. Deny HTTP TRACE Requests with Mod_Rewrite p33 The Apache ErrorDocument directive should be set correctly for HTTP 400 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 400' directive L1 11. Web Server Software Obfuscation General Directives p17 The ApacheErrorDocument directive should be set correctly for HTTP 401 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 401' directive L1 11. Web Server Software Obfuscation General Directives p17 The ApacheErrorDocument directive should be set correctly for HTTP 403 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 403' directive L1 11. Web Server Software Obfuscation General Directives p17 The ApacheErrorDocument directive should be set correctly for HTTP 404 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 404' directive L1 11. Web Server Software Obfuscation General Directives p17 The ApacheErrorDocument directive should be set correctly for HTTP 405 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 405' directive L1 11. Web Server Software Obfuscation General Directives p17 The ApacheErrorDocument directive should be set correctly for HTTP 500 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 500' directive L1 11. Web Server Software Obfuscation General Directives p17 The Apache user account should be locked or unlocked as appropriate. (1) locked/unlocked (1) via /etc/passwd L1 5. Lock Down the Apache Web User Account p11 The Apache user account should be allowed root privileges as appropriate. (1) allowed/not allowed (1) via /etc/passwd L1 4. Create the Apache Web User Account p11 The group membership of the Apache user account should be set correctly. (1) group (1) via /etc/group L1 4. Create the Apache Web User Account p11 The ownership of the Apache /etc/httpd/conf/passwd file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The group membership of the Apache /etc/httpd/conf/passwd file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 The permissions for the Apache /etc/httpd/conf/passwd file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The ownership of the Apache /var/www/html file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The group membership of the Apache /var/www/html file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 The permissions for the Apache/var/www/html file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The ownership of log files in Apache /var/log/httpd/ should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The group membership of any Apache files in /var/log/httpd/ should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 The permissions of any Apache files in /var/log/httpd/ should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The ownership of the Apache /etc/httpd/conf.d file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The group membership of the Apache /etc/httpd/conf.d file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 The permissions for the Apache /etc/httpd/conf.d file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The ownership of the Apache /usr/sbin/httpd file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The group membership of the Apache /usr/sbin/httpd file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 The permissions for the Apache /usr/sbin/httpd file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The ownership of the Apache /usr/sbin/apachectl file should be set correctly. (1) owner (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The group membership of the Apache /usr/sbin/apachectl file should be set correctly. (1) group (1) via chgrp L1 19. Updating Ownership and Permissions for Enhanced Security p27 The permissions for the Apache /usr/sbin/apachectl file should be set correctly. (1) permissions (1) via chown L1 19. Updating Ownership and Permissions for Enhanced Security p27 The Allow directive for the specified Directory directive should be configured appropriately. (1) all | hostname/IP address/environment variable (1) Allow directive L1 13. Access Control Directives p21 The Deny directive for the specified Directory directive should be configured appropriately. (1) all | hostname/IP address/environment variable (1) Deny directive L1 13. Access Control Directives p21 The "FollowSymLinks" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) FollowSymLinks / -FollowSymLinks / +FollowSymLinks / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p23 The"Includes" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) Includes / -Includes / +Includes / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p24 The "IncludesNOEXEC" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) IncludesNoExec / -IncludesNoExec / +IncludesNoExec / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p24 The "Indexes" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) Indexes / -Indexes / +Indexes / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p24 The"MultiViews" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) MultiViews / -MultiViews / +MultiViews / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) L1 15. Directory Functionality/Features Directives p24-25 testcgi should be installed as appropriate. (1) exist/not exist (1) cgi-script directory L1 18. Remove Default/Unneeded Apache Files p27 Anonymous sharing of Apache's web content directories should be configured appropriately. (1) Set of shares (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy Rule Title: Web content directories must not be anonymously shared. STIG ID: WG210 W22 Rule ID: SV-33109r1_rule Vuln ID: V-2226 Severity: CAT II Class: Unclass The Apache AllowOverride directive should be configured appropriately for web site root directories. (1) AuthConfig / FileInfo / Indexes / Limit / Options / All / None (1) Apache configuration file: AllowOverride directive 1.8 Directory Functionality Control with the Options Directive p17 Rule Title: All interactive programs must be placed in a designated directory with appropriate permissions. STIG ID: WG400 W22 Rule ID: SV-36644r1_rule Vuln ID: V-2228 Severity: CAT II Class: Unclass The maximum password age setting for Apache's service account should be configured appropriately. (1) number of days (1) defined by Local or Group Policy Rule Title: The service account used to run the web service must have its password changed at least annually. STIG ID: WG060 W22 Rule ID: SV-36489r1_rule Vuln ID: V-2235 Severity: CAT II Class: Unclass The Apachce "MaxKeepAliveRequests" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MaxKeepAliveRequests directive 1.9.1 Denial of Service Mitigation (Level 1, Scorable) Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more. p71 Rule Title: The number of allowed simultaneous requests must be set. STIG ID: WG110 W22 Rule ID: SV-33105r1_rule Vuln ID: V-2240 Severity: CAT II Class: Unclass Rule Title: The number of allowed simultaneous requests must be set. STIG ID: WG110 A22 Rule ID: SV-33018r1_rule Vuln ID: V-2240 Severity: CAT II Class: Unclass All readable Apache web document directories should have their default webpage configured appropriately. (1) exist / not exist (1) Directories (from Apache configuration file: DocumentRoot directive) Rule Title: Each readable web document directory must contain either a default, home, index, or equivalent file. STIG ID: WG170 W22 Rule ID: SV-33107r1_rule Vuln ID: V-2245 Severity: CAT III Class: Unclass Access to Apache's httpd.conf file should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by (ServerRoot)\conf\httpd.conf's DACL Rule Title: Web administration tools must be restricted to the web manager and the web manager’s designees. STIG ID: WG220 W22 Rule ID: SV-33072r1_rule Vuln ID: V-2248 Severity: CAT II Class: Unclass Apache's log_config_module should be enabled or disabled as appropriate. (1) log_config_module (1) Apache configuration file: LoadModule directive 1.2.2 Enable the Log Config Module (Level 1, Scorable) For dynamically loaded modules, add or modify the LoadModule directive so that it is present in the apache configuration as below and not commented out : LoadModule log_config_module modules/mod_log_config.so p12 Rule Title: Logs of web server access and errors must be established and maintained. STIG ID: WG240 W22 Rule ID: SV-33132r1_rule Vuln ID: V-2250 Severity: CAT II Class: Unclass Rule Title: Logs of web server access and errors must be established and maintained. STIG ID: WG240 A22 Rule ID: SV-33025r1_rule Vuln ID: V-2250 Severity: CAT II Class: Unclass The Windows permissions for all files specified by CustomLog directives should be configured appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 W22 Rule ID: SV-33135r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass The Windows permissions for all files specified by ErrorLog directives should be configured appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 W22 Rule ID: SV-33135r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass The Windows permissions of Apache's htpasswd.exe file(s) should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web server’s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 W22 Rule ID: SV-36561r1_rule Vuln ID: V-2255 Severity: CAT II Class: Unclass The Windows permissions for all directories specified by ScriptAlias directives should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Windows permissions for all directories specified by ScriptAliasMatch directives should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Windows permissions for all directories specified by DocumentRoot directives should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Windows permissions for all directories specified by Alias directives should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Windows permissions for all directories specified by ServerRoot directives should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Windows permissions of Apache's /config directory should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Windows permissions of Apache's /bin directory should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Windows permissions of Apache's /logs directory should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Windows permissions of Apache's /htdocs directory should be configred appropriately (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Apache site's robots.txt should be configured to disallow paths and files as appropriate. (1) User-Agent (2) Disallowed path(s)|file(s) (1) robots.txt Rule Title: A private web server must not respond to requests from public search engines. STIG ID: WG310 W22 Rule ID: SV-28798r2_rule Vuln ID: V-2260 Severity: CAT II Class: Unclass Rule Title: A private web server must not respond to requests from public search engines. STIG ID: WG310 A22 Rule ID: SV-33028r1_rule Vuln ID: V-2260 Severity: CAT II Class: Unclass Apache's ssl_module should be enabled or disabled as appropriate. (1) ssl_module (1) Apache configuration file: LoadModule directive 1.7.1 Install mod_ssl and/or mod_nss (Level 1, Scorable) Ensure the mod_ssl and/or mod_nss is loaded in the Apache configuration: # httpd -M | egrep 'ssl_module|nss_module' p59 Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 W22 Rule ID: SV-14297r4_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 A22 Rule ID: SV-33029r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass The Apache SSLProtocol directive should be configured appropriately. (1) SSLv2 / SSLv3 / TLSv1 / All (1) Apache configuration file: SSLProtocol directive 1.7.4 Restrict weak SSL Protocols and Ciphers (Level 1, Scorable) Add or modify the following line in the Apache server level configuration and every virtual host that is SSL enabled: SSLProtocol -ALL +SSLv3 +TLSv1 p65 Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 W22 Rule ID: SV-14297r4_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 A22 Rule ID: SV-33029r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass The Apache SSLEngine directive should be configured appropriately. (1) On / Off (1) Apache configuration file: SSLEngine directive Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 W22 Rule ID: SV-14297r4_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass Rule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 A22 Rule ID: SV-33029r1_rule Vuln ID: V-2262 Severity: CAT II Class: Unclass The requried permssions for the file %SystemRoot%\System32\wscript.exe should be assigned. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the %SystemRoot%\System32\wscript.exe DACL Rule Title: Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. STIG ID: WG470 W22 Rule ID: SV-33095r1_rule Vuln ID: V-2264 Severity: CAT II Class: Unclass The required permissions for the file %SystemRoot%\System32\cscript.exe should be assigned (1) set of accounts (2) list of permissions (3) applicability (1) defined by the %SystemRoot%\System32\cscript.exe DACL Rule Title: Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. STIG ID: WG470 W22 Rule ID: SV-33095r1_rule Vuln ID: V-2264 Severity: CAT II Class: Unclass The Apache "ServerTokens" directive should be configured appropriately. (1) Prod[uctOnly] / Major / Minor / Min[imal] / OS / Full (1) Apache configuration file: ServerTokens directive 1.8.1 Limit Information in the Server Token (Level 1, Scorable) Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod page 68 1.16 Software Information Leakage Protection p29 Rule Title: Web server and/or operating system information must be protected. STIG ID: WG520 W22 Rule ID: SV-33098r1_rule Vuln ID: V-6724 Severity: CAT III Class: Unclass Rule Title: Web server and/or operating system information must be protected. STIG ID: WG520 A22 Rule ID: SV-36672r1_rule Vuln ID: V-6724 Severity: CAT III Class: Unclass The Apache web server be run with the appropriate privileges. (1) Account type: ( privileged / non privileged ) (1) My Computer / Manage / Configuration / Local Users and Groups / <account name> Rule Title: The web server, although started by superuser or privileged account, must run using a non-privileged account. STIG ID: WG275 W22 Rule ID: SV-36607r1_rule Vuln ID: V-13619 Severity: CAT II Class: Unclass All Apache's online manual should be available or removed as appropriate. (1) exist / not exist (1) manual in the Server Root directory 1.5.4 Remove Default HTML Content (Level 1, Scorable) Remove the Apache user manual content or comment out configurations referencing the manual # yum erase httpd-manual page 37 Rule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 W22 Rule ID: SV-33087r1_rule Vuln ID: V-13621 Severity: CAT I Class: Unclass Rule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 A22 Rule ID: SV-32933r1_rule Vuln ID: V-13621 Severity: CAT I Class: Unclass Apache's demo CGI printenv.pl should be available or removed as appropriate (1) exist / not exist (1) (ServerRoot)\cgi-bin\printenv.pl (2) (ServerRoot)/cgi-bin/printenv.pl 1.5.5 Remove Default CGI Content printenv (Level 1, Scorable) Remove the printenv default CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/printenv page 39 1.18 Remove Default Content p33 Rule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 W22 Rule ID: SV-33087r1_rule Vuln ID: V-13621 Severity: CAT I Class: Unclass Rule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 A22 Rule ID: SV-32933r1_rule Vuln ID: V-13621 Severity: CAT I Class: Unclass The Apache access log file data should be configured to contain the appropriate data elements. (1) LogFormat Format String (1) Apache configuration file: LogFormat directive 1.6.2 Configure the Access Log (Level 1, Scorable) Add or modify the LogFormat directives in the Apache configuration to use the standard and recommended combined format show as shown below. LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined 1.17 Logging p30 Rule Title: Log file data must contain required data elements. STIG ID: WG242 W22 Rule ID: SV-28654r2_rule Vuln ID: V-13688 Severity: CAT II Class: Unclass Rule Title: Log file data must contain required data elements. STIG ID: WG242 A22 Rule ID: SV-36642r1_rule Vuln ID: V-13688 Severity: CAT II Class: Unclass The Apache "Timeout" directive should be configured appropriately. (1) Number value (in seconds) (1) Apache configuration file: Timeout directive 1.9.1 Denial of Service Mitigation (Level 1, Scorable) Add or modify the Timeout directive in the Apache configuration to have a value of 10 seconds or shorter. Timeout 10 page 71 1.13 Denial of Service Prevention Tuning p21 Rule Title: The Timeout directive must be properly set. STIG ID: WA000-WWA020 W22 Rule ID: SV-32980r1_rule Vuln ID: V-13724 Severity: CAT II Class: Unclass Rule Title: The Timeout directive must be properly set. STIG ID: WA000-WWA020 A22 Rule ID: SV-32977r1_rule Vuln ID: V-13724 Severity: CAT II Class: Unclass The Apache "KeepAlive" directive should be configured appropriately. (1) On / Off (1) Apache configuration file: KeepAlive directive 1.9.1 Denial of Service Mitigation (Level 1, Scorable) Add or modify the KeepAlive directive in the Apache configuration to have a value of On, so that Keepalive connections are enabled. KeepAlive On page 71 1.13 Denial of Service Prevention Tuning p21 Rule Title: The KeepAlive directive must be enabled. STIG ID: WA000-WWA022 W22 Rule ID: SV-32987r1_rule Vuln ID: V-13725 Severity: CAT II Class: Unclass Rule Title: The KeepAlive directive must be enabled. STIG ID: WA000-WWA022 A22 Rule ID: SV-32844r1_rule Vuln ID: V-13725 Severity: CAT II Class: Unclass The Apache "KeepAliveTimeout" directive should be configured appropriately. (1) Number value (in seconds) (1) Apache configuration file: KeepAliveTimeout directive 1.9.1 Denial of Service Mitigation (Level 1, Scorable) Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less. KeepAliveTimeout 15 page 71 1.13 Denial of Service Prevention Tuning p21 Rule Title: The KeepAliveTimeout directive must be defined. STIG ID: WA000-WWA024 W22 Rule ID: SV-32880r1_rule Vuln ID: V-13726 Severity: CAT II Class: Unclass Rule Title: The KeepAliveTimeout directive must be defined. STIG ID: WA000-WWA024 A22 Rule ID: SV-32877r1_rule Vuln ID: V-13726 Severity: CAT II Class: Unclass The Apache "FollowSymLinks" setting for all "Options" directives should be configured appropriately. (1) FollowSymLinks / -FollowSymLinks / +FollowSymLinks / None (1) Apache configuration file: Options directive 1.5.3 Minimize Options for Other Directories (Level 1, Scorable) FollowSymLinks & SymLinksIfOwnerMatch – The following of symbolic links is not recommended and should be disabled if possible. Page 35 Rule Title: The FollowSymLinks setting must be disabled. STIG ID: WA000-WWA052 W22 Rule ID: SV-33001r1_rule Vuln ID: V-13732 Severity: CAT II Class: Unclass Rule Title: The FollowSymLinks setting must be disabled. STIG ID: WA000-WWA052 A22 Rule ID: SV-40129r1_rule Vuln ID: V-13732 Severity: CAT II Class: Unclass The Apache "Includes" setting for all "Options" directives should be configured appropriately. (1) Includes / -Includes / +Includes / None (1) Apache configuration file: Options directive 1.5.3 Minimize Options for Other Directories Includes & IncludesNOEXEC – The IncludesNOEXEC option should only be needed when server side includes are required. The full Includes option should not be used as it also allows execution of arbitrary shell commands. Page 35 Rule Title: Server side includes (SSIs) must run with execution capability disabled. STIG ID: WA000-WWA054 W22 Rule ID: SV-33003r1_rule Vuln ID: V-13733 Severity: CAT I Class: Unclass Rule Title: Server side includes (SSIs) must run with execution capability disabled. STIG ID: WA000-WWA054 A22 Rule ID: SV-32753r1_rule Vuln ID: V-13733 Severity: CAT I Class: Unclass The Apache "IncludesNoExec" setting for all "Options" directives should be configured appropriately. (1) IncludesNoExec / -IncludesNoExec / +IncludesNoExec / None (1) Apache configuration file: Options directive 1.5.3 Minimize Options for Other Directories Includes & IncludesNOEXEC – The IncludesNOEXEC option should only be needed when server side includes are required. The full Includes option should not be used as it also allows execution of arbitrary shell commands. Page 35 Rule Title: Server side includes (SSIs) must run with execution capability disabled. STIG ID: WA000-WWA054 W22 Rule ID: SV-33003r1_rule Vuln ID: V-13733 Severity: CAT I Class: Unclass Rule Title: Server side includes (SSIs) must run with execution capability disabled. STIG ID: WA000-WWA054 A22 Rule ID: SV-32753r1_rule Vuln ID: V-13733 Severity: CAT I Class: Unclass The Apache "MultiViews" setting for all "Options" directives should be configured appropriately. (1) MultiViews / -MultiViews / +MultiViews / None (1) Apache configuration file: Options directive 1.5.3 Minimize Options for Other Directories (Level 1, Scorable) Multiviews – Is appropriate if content negotiation is required such as for multiple language are supported. Page 35 Rule Title: The MultiViews directive must be disabled. STIG ID: WA000-WWA056 W22 Rule ID: SV-33004r1_rule Vuln ID: V-13734 Severity: CAT II Class: Unclass Rule Title: The MultiViews directive must be disabled. STIG ID: WA000-WWA056 A22 Rule ID: SV-32754r1_rule Vuln ID: V-13734 Severity: CAT II Class: Unclass The Apache "Indexes" setting for all "Options" directives should be configured appropriately. (1) Indexes / -Indexes / +Indexes / None (1) Apache configuration file: Options directive 1.5.3 Minimize Options for Other Directories (Level 1, Scorable) Indexes – The Indexes option causes automatic generation of indexes, if the default index page is missing, and should be disabled unless required. Page 35 Rule Title: Directory indexing must be disabled on directories not containing index files. STIG ID: WA000-WWA058 W22 Rule ID: SV-33006r1_rule Vuln ID: V-13735 Severity: CAT II Class: Unclass Rule Title: Directory indexing must be disabled on directories not containing index files. STIG ID: WA000-WWA058 A22 Rule ID: SV-32755r1_rule Vuln ID: V-13735 Severity: CAT II Class: Unclass The Apache "LimitRequestBody" directive should be configured appropriately. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestBody directive 1.9.2 Buffer Overflow Mitigation (Level 2, Scorable) Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so that it is understood that this directive will limit the size of file up-loads to the web server. LimitRequestBody 102400 page 73 1.14 Buffer Overflow Protection Tuning p23 Rule Title: The HTTP request message body size must be limited. STIG ID: WA000-WWA060 W22 Rule ID: SV-33008r1_rule Vuln ID: V-13736 Severity: CAT II Class: Unclass Rule Title: The HTTP request message body size must be limited. STIG ID: WA000-WWA060 A22 Rule ID: SV-32756r1_rule Vuln ID: V-13736 Severity: CAT II Class: Unclass+G66 The Apache "LimitRequestFields" directive should be configured appropriately (1) Number value (1) Apache configuration file: LimitRequestFields directive 1.9.2 Buffer Overflow Mitigation (Level 2, Scorable) Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present the default depends on a compile time configuration, but defaults to a value of 100. LimitRequestFields 100 page 73 1.14 Buffer Overflow Protection Tuning p24 Rule Title: The HTTP request header fields must be limited. STIG ID: WA000-WWA062 W22 Rule ID: SV-33009r1_rule Vuln ID: V-13737 Severity: CAT II Class: Unclass Rule Title: The HTTP request header fields must be limited. STIG ID: WA000-WWA062 A22 Rule ID: SV-32757r1_rule Vuln ID: V-13737 Severity: CAT II Class: Unclass The Apache "LimitRequestFieldSizeBody" directive should be configured appropriately. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestFieldSizeBody directive 1.9.2 Buffer Overflow Mitigation (Level 2, Scorable) Add or modify the LimitRequestFieldsize directive in the Apache configuration to have a value of 1024 or less. LimitRequestFieldsize 1024 page 73 1.14 Buffer Overflow Protection Tuning p24 Rule Title: The HTTP request header field size must be limited. STIG ID: WA000-WWA064 W22 Rule ID: SV-33010r1_rule Vuln ID: V-13738 Severity: CAT II Class: Unclass Rule Title: The HTTP request header field size must be limited. STIG ID: WA000-WWA064 A22 Rule ID: SV-32766r1_rule Vuln ID: V-13738 Severity: CAT II Class: Unclass The Apache "LimitRequestline" directive should be configured appropriatley. (1) Number value (in bytes) (1) Apache configuration file: LimitRequestLine directive 1.9.2 Buffer Overflow Mitigation (Level 2, Scorable) Add or modify the LimitRequestline directive in the Apache configuration to have a value of 512 or shorter. LimitRequestline 512 page 72 1.14 Buffer Overflow Protection Tuning p24 Rule Title: The HTTP request line must be limited. STIG ID: WA000-WWA066 W22 Rule ID: SV-33011r1_rule Vuln ID: V-13739 Severity: CAT II Class: Unclass Rule Title: The HTTP request line must be limited. STIG ID: WA000-WWA066 A22 Rule ID: SV-32768r1_rule Vuln ID: V-13739 Severity: CAT II Class: Unclass The path for Apache sites error log files should be configured appropriately. (1) File path (1) Apache configuration file: ErrorLog directive 1.6.1 Configure the Error Log (Level 1, Scorable) Add an ErrorLog directive if not already configured. The file path may be relative or absolute, or the logs may be configured to be sent to a syslog server. ErrorLog "logs/error_log" Add a similar ErrorLog directive for each virtual host configured if the virtual host will have different people responsible for the web site. Each responsible individual or organization needs access to their own web logs, and needs the skills/training/tools for monitor the logs. page 50 2.5 Syslog Logging p44-45 Rule Title: Error logging must be enabled. STIG ID: WA00605 W22 Rule ID: SV-33147r1_rule Vuln ID: V-26279 Severity: CAT II Class: Unclass Rule Title: Error logging must be enabled. STIG ID: WA00605 A22 Rule ID: SV-33192r1_rule Vuln ID: V-26279 Severity: CAT II Class: Unclass The Apache system logging should be configured appropriately. (1) File path | pipe (2) LogFormat | nickname (1) Apache configuration file: CustomLog directive 1.6.2 Configure the Access Log (Level 1, Scorable) Add or modify the CustomLog directives in the Apache configuration to use the combined format with an appropriate log file, syslog facility or piped logging utility. CustomLog log/access_log combined Add a similar CustomLog directives for each virtual host configured if the virtual host will have different people responsible for the web site. Each responsible individual or organization needs access to their own web logs, and needs the skills/training/tools for monitor the logs. page 51 1.17 Logging p31 Rule Title: System logging must be enabled. STIG ID: WA00615 W22 Rule ID: SV-33151r1_rule Vuln ID: V-26281 Severity: CAT II Class: Unclass Rule Title: System logging must be enabled. STIG ID: WA00615 A22 Rule ID: SV-33206r1_rule Vuln ID: V-26281 Severity: CAT II Class: Unclass The Apache "LogLevel" directive should be configured appropriately. (1) debug / info / notice / warn / error / crit / alert / emerg (1) Apache configuration file: LogLevel directive 1.6.1 Configure the Error Log (Level 1, Scorable) Add or modify the LogLevel in the apache configuration to have a value of notice or lower. Note that is it is compliant to have a value of info or debug if there is a need for a more verbose log and the storage and monitoring processes are capable of handling the extra load. The recommended value is notice. LogLevel notice page 50 1.17 Logging p31 Rule Title: The LogLevel directive must be enabled. STIG ID: WA00620 W22 Rule ID: SV-33153r1_rule Vuln ID: V-26282 Severity: CAT II Class: Unclass Rule Title: The LogLevel directive must be enabled. STIG ID: WA00620 A22 Rule ID: SV-33207r1_rule Vuln ID: V-26282 Severity: CAT II Class: Unclass Web Distributed Authoring and Versioning (WebDav) dav_module should be enabled or disabled as appropriate. (1) dav_module (1) Apache configuration file: LoadModule directive 1.2.3 Disable WebDAV modules (Level 1, Scorable) For dynamically loaded modules comment out or remove the LoadModule directive for mod_dav, and mod_dav_fs modules the from the httpd.conf file. ##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so page 13 Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 W22 Rule ID: SV-33169r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 A22 Rule ID: SV-33216r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Web Distributed Authoring and Versioning (WebDav) dav_fs_module should be enabled or disabled as appropriate. (1) dav_fs_module (1) Apache configuration file: LoadModule directive 1.2.3 Disable WebDAV modules (Level 1, Scorable) For dynamically loaded modules comment out or remove the LoadModule directive for mod_dav, and mod_dav_fs modules the from the httpd.conf file. ##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so page 13 Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 W22 Rule ID: SV-33169r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 A22 Rule ID: SV-33216r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Web Distributed Authoring and Versioning (WebDav) dav_lock_module should be enabled or disabled as appropriate. (1) dav_lock_module (1) Apache configuration file: LoadModule directive Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 W22 Rule ID: SV-33169r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Rule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 A22 Rule ID: SV-33216r1_rule Vuln ID: V-26287 Severity: CAT II Class: Unclass Apache's info_module should be enabled or disabled as appropriate. (1) info_module (1) Apache configuration file: LoadModule directive 1.2.8 Disable Info module (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_info in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file. ##LoadModule info_module modules/mod_info.so Page 18 Rule Title: Web server status module will be disabled. STIG ID: WA00510 W22 Rule ID: SV-33171r1_rule Vuln ID: V-26294 Severity: CAT II Class: Unclass Rule Title: Web server status module will be disabled. STIG ID: WA00510 A22 Rule ID: SV-33218r1_rule Vuln ID: V-26294 Severity: CAT II Class: Unclass Apache's status_module should be enabled or disabled as appropriate. (1) status_module (1) Apache configuration file: LoadModule directive 1.2.4 Disable Status module (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script with the --disable-status configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-status b) For dynamically loaded modules comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file. ##LoadModule status_module modules/mod_status.so page 14 Rule Title: Web server status module will be disabled. STIG ID: WA00510 W22 Rule ID: SV-33171r1_rule Vuln ID: V-26294 Severity: CAT II Class: Unclass Rule Title: Web server status module will be disabled. STIG ID: WA00510 A22 Rule ID: SV-33218r1_rule Vuln ID: V-26294 Severity: CAT II Class: Unclass Apache's proxy_module should be enabled or disabled as appropriate. (1) proxy_module (1) Apache configuration file: LoadModule directive 1.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_module modules/mod_proxy.so Page 16 Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W22 Rule ID: SV-33173r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Apache's proxy_ftp_module should be enabled or disabled as appropriate. (1) proxy_ftp_module (1) Apache configuration file: LoadModule directive 1.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so Page 16 Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W22 Rule ID: SV-33173r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Apache's proxy_http_module should be enabled or disabled as appropriate. (1) proxy_http_module (1) Apache configuration file: LoadModule directive 1.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_http_module modules/mod_proxy_http.so Page 16 Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W22 Rule ID: SV-33173r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Apache's proxy_connect_module should be enabled or disabled as appropriate. (1) proxy_connect_module (1) Apache configuration file: LoadModule directive 1.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_connect_module modules/mod_proxy_connect.so Page 16 Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W22 Rule ID: SV-33173r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Apache's proxy_ajp_module should be enabled or disabled as appropriate (1) proxy_ajp_module (1) Apache configuration file: LoadModule directive 1.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_connect_module modules/mod_proxy_ajp.so Page 16 Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W22 Rule ID: SV-33173r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Apache's proxy_balancer_module should be enabled or disabled as appropriate. (1) proxy_balancer_module (1) Apache configuration file: LoadModule directive 1.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so Page 16 Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W22 Rule ID: SV-33173r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass Rule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: Unclass User-specific directories should be enabled or disabled as appropriate. (1) userdir_module (1) Apache configuration file: LoadModule directive 1.2.7 Disable User Directories Modules (Level 1, Scorable) 1. For source builds with static modules run the Apache ./configure script with the --disable-userdir configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-userdir 2. For dynamically loaded modules comment out or remove the LoadModule directive for mod_userdir module from the httpd.conf file. ##LoadModule userdir_module modules/mod_userdir.so Page 17 Rule Title: User specific directories must not be globally enabled. STIG ID: WA00525 W22 Rule ID: SV-33175r1_rule Vuln ID: V-26302 Severity: CAT II Class: Unclass Rule Title: User specific directories must not be globally enabled. STIG ID: WA00525 A22 Rule ID: SV-33221r1_rule Vuln ID: V-26302 Severity: CAT II Class: Unclass Apache's process ID (PID) file's Windows permissions should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 W22 Rule ID: SV-33177r1_rule Vuln ID: V-26305 Severity: CAT II Class: Unclass Apache's Scoreboard file's Windows permissions should be configured appropriately. (1) set of accounts (2) list of permissions (3) applicability (1) defined by the object's DACL Rule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 W22 Rule ID: SV-33178r1_rule Vuln ID: V-26322 Severity: CAT II Class: Unclass The Order directive for the OS root should be configured appropriately. (1) Allow,Deny / Deny,Allow / Mutual-failure (1) Order directive 1.4.1 Deny Access to OS Root Directory (Level 1, Scorable) Ensure there is a single Order directive and set the value to deny, allow Page 27 Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 W22 Rule ID: SV-33180r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 A22 Rule ID: SV-33226r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass The Allow Directive for the OS root should be configured appropriately (1) all | hostname/IP address/environment variable (1) Allow directive 1.4.1 Deny Access to OS Root Directory (Level 1, Scorable) Remove any Allow directives from the root <Directory> element. allow Page 27 1.7 Restricting Access p14-15 Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 W22 Rule ID: SV-33180r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 A22 Rule ID: SV-33226r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass The Deny Directive for the OS root should be configured appropriately (1) all | hostname/IP address/environment variable (1) Deny directive 1.4.1 Deny Access to OS Root Directory (Level 1, Scorable) Ensure there is a Deny directive, and set the value to from all. allow Page 27 1.7 Restricting Access p14-15 Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 W22 Rule ID: SV-33180r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 A22 Rule ID: SV-33226r1_rule Vuln ID: V-26323 Severity: CAT II Class: Unclass The Apache "ExecCGI" setting for all "Options" directives for the OS root should be configured appropriately. (1) ExecCGI / -ExecCGI/ +ExecCGI / None (1) Apache configuration file: Options directive (in OS root Directory directive) 1.5.1 Restrict Options for the OS Root Directory (Level 1, Scorable) Set the value for Options to None. Page 33 Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 W22 Rule ID: SV-33182r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "FollowSymLinks" setting for all "Options" directives for the OS root should be configured appropriately. (1) FollowSymLinks / -FollowSymLinks / +FollowSymLinks / None (1) Apache configuration file: Options directive (in OS root Directory directive) 1.5.1 Restrict Options for the OS Root Directory (Level 1, Scorable) Set the value for Options to None. Page 33 Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 W22 Rule ID: SV-33182r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "Includes" setting for all "Options" directives for the OS root should be configured appropriately. (1) Includes / -Includes / +Includes / None (1) Apache configuration file: Options directive (in OS root Directory directive) 1.5.1 Restrict Options for the OS Root Directory (Level 1, Scorable) Set the value for Options to None. Page 33 Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 W22 Rule ID: SV-33182r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "IncludesNoExec" setting for all "Options" directives for the OS root should be configured appropriately. (1) IncludesNoExec / -IncludesNoExec / +IncludesNoExec / None (1) Apache configuration file: Options directive (in OS root Directory directive) 1.5.1 Restrict Options for the OS Root Directory (Level 1, Scorable) Set the value for Options to None. Page 33 Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 W22 Rule ID: SV-33182r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "Indexes" setting for all "Options" directives for the OS root should be configured appropriately. (1) Indexes / -Indexes / +Indexes / None (1) Apache configuration file: Options directive (in OS root Directory directive) 1.5.1 Restrict Options for the OS Root Directory (Level 1, Scorable) Set the value for Options to None. Page 33 Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 W22 Rule ID: SV-33182r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "MultiViews" setting for all "Options" directives for the OS root should be configured appropriately. (1) MultiViews / -MultiViews / +MultiViews / None (1) Apache configuration file: Options directive (in OS root Directory directive) 1.5.1 Restrict Options for the OS Root Directory (Level 1, Scorable) Set the value for Options to None. Page 33 Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 W22 Rule ID: SV-33182r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "SymLinksIfOwnerMatch" setting for all "Options" directives for the OS root should be configured appropriately. (1) SymLinksIfOwnerMatch / -SymLinksIfOwnerMatch / +SymLinksIfOwnerMatch / None (1) Apache configuration file: Options directive (in OS root Directory directive) 1.5.1 Restrict Options for the OS Root Directory (Level 1, Scorable) Set the value for Options to None. Page 33 Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 W22 Rule ID: SV-33182r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass Rule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: Unclass The Apache "TraceEnable" directive should be configured appropriatley. (1) on / off / extended (1) Apache configuration file: TraceEnable directive 1.5.8 Disable HTTP TRACE Method (Level 1, Scorable) Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like <Directory> or <Location>. TraceEnable off Page 42-43 Rule Title: The TRACE method must be disabled. STIG ID: WA00550 W22 Rule ID: SV-33183r1_rule Vuln ID: V-26325 Severity: CAT II Class: Unclass Rule Title: The TRACE method must be disabled. STIG ID: WA00550 A22 Rule ID: SV-33227r1_rule Vuln ID: V-26325 Severity: CAT II Class: Unclass Apache's listening IP address should be configured appropriately. (1) IP-address (1) Apache configuration file: Listen directive 1.9.3 Restrict Listen Directive (Level 2, Scorable) The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically a Listen directive with no IP address specified, or with an IP address of zeros should not be used. Page 74 Rule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 W22 Rule ID: SV-33184r1_rule Vuln ID: V-26326 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 A22 Rule ID: SV-33228r1_rule Vuln ID: V-26326 Severity: CAT II Class: Unclass Apache's listening port should be configured appropriately. (1) port number (1) Apache configuration file: Listen directive 1.9.3 Restrict Listen Directive (Level 2, Scorable) The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically a Listen directive with no IP address specified, or with an IP address of zeros should not be used. Page 74 Rule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 W22 Rule ID: SV-33184r1_rule Vuln ID: V-26326 Severity: CAT II Class: Unclass Rule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 A22 Rule ID: SV-33228r1_rule Vuln ID: V-26326 Severity: CAT II Class: Unclass The ScriptAlias for the specified directory should be configured appropriately. (1) url-path (2) TARGET: directory path (1) Apache configuration file: ScriptAlias directive Rule Title: The URL-path name must be set to the file path name or the directory path name. STIG ID: WA00560 W22 Rule ID: SV-33185r1_rule Vuln ID: V-26327 Severity: CAT II Class: Unclass Rule Title: The URL-path name must be set to the file path name or the directory path name. STIG ID: WA00560 A22 Rule ID: SV-33229r1_rule Vuln ID: V-26327 Severity: CAT II Class: Unclass Automatic directory indexing should be enabled or disabled as appropriate. (1) autoindex_module (1) Apache configuration file: LoadModule directive 1.2.5 Disable Autoindex module (Level 1, Scorable) For source builds with static modules run the Apache ./configure script with the --disable-autoindex configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure –disable-autoindex b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_autoindex module the from the httpd.conf file. ## LoadModule autoindex_module modules/mod_autoindex.so Page 14-15 Rule Title: Automatic directory indexing must be disabled. STIG ID: WA00515 W22 Rule ID: SV-33225r1_rule Vuln ID: V-26368 Severity: CAT II Class: Unclass Rule Title: Automatic directory indexing must be disabled. STIG ID: WA00515 A22 Rule ID: SV-33219r1_rule Vuln ID: V-26368 Severity: CAT II Class: Unclass The Apache AllowOverride Directive should be configured appropriately for operating system root directories. (1) AuthConfig / FileInfo / Indexes / Limit / Options / All / None (1) Apache configuration file: AllowOverride directive 1.4.3 Restrict OverRide for the OS Root Directory (Level 1, Scorable) Set the value for AllowOverride to None. Page 30-31 1.8 Directory Functionality Control with the Options Directive p17 Rule Title: The ability to override the access configuration for the OS root directory must be disabled. STIG ID: WA00547 W22 Rule ID: SV-33237r1_rule Vuln ID: V-26393 Severity: CAT II Class: Unclass Rule Title: The ability to override the access configuration for the OS root directory must be disabled. STIG ID: WA00547 A22 Rule ID: SV-33232r1_rule Vuln ID: V-26393 Severity: CAT II Class: Unclass Permitted HTTP request methods should be configured appropriately. (1) methods (2) access control directives (1) Apache configuration file: LimitExecpt directive 1.5.7 Limit HTTP Request Methods (Level 1, Scorable) For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods. Page 40-41 Rule Title: HTTP request methods must be limited. STIG ID: WA00565 W22 Rule ID: SV-33238r1_rule Vuln ID: V-26396 Severity: CAT II Class: Unclass Rule Title: HTTP request methods must be limited. STIG ID: WA00565 A22 Rule ID: SV-33236r1_rule Vuln ID: V-26396 Severity: CAT II Class: Unclass Anonymous sharing of Apache's web content directories with nfs should be configured appropriately. (1) Set of shares (1) via /etc/exports Rule Title: Web content directories must not be anonymously shared. STIG ID: WG210 A22 Rule ID: SV-33022r1_rule Vuln ID: V-2226 Severity: CAT II Class: Unclass AC-3(4).1 CM-6.1 (ii) CM-7.1 (ii) CCI-001362 CCI-001588 CCI-000381 Anonymous sharing of Apache's web content directories with smb should be configured appropriately. (1) Set of shares (1) via /etc/samba/smb.conf Rule Title: Web content directories must not be anonymously shared. STIG ID: WG210 A22 Rule ID: SV-33022r1_rule Vuln ID: V-2226 Severity: CAT II Class: Unclass File permissions for httpd.conf should be set correctly. (1) permissions (1) via chmod 1.19 Updating Ownership and Permissions p34 Rule Title: Web administration tools must be restricted to the web manager and the web manager’s designees. STIG ID: WG220 A22 Rule ID: SV-32948r1_rule Vuln ID: V-2248 Severity: CAT II Class: Unclass The httpd.conf file should be owned by the appropriate user. (1) user (1) via chown 1.19 Updating Ownership and Permissions p34 Rule Title: Web administration tools must be restricted to the web manager and the web manager’s designees. STIG ID: WG220 A22 Rule ID: SV-32948r1_rule Vuln ID: V-2248 Severity: CAT II Class: Unclass The httpd.conf file should be owned by the appropriate group. (1) group (1) via chown 1.19 Updating Ownership and Permissions p34 Rule Title: Web administration tools must be restricted to the web manager and the web manager’s designees. STIG ID: WG220 A22 Rule ID: SV-32948r1_rule Vuln ID: V-2248 Severity: CAT II Class: Unclass The file permissions for all files specified by CustomLog directives should be configured appropriately (1) permissions (1) via chmod Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass All files specified by CustomLog directives should be owned by the appropriate user (1) user (1) via chown Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass All files specified by CustomLog directives should be owned by the appropriate group (1) group (1) via chown Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass The Unix permissions for all files specified by ErrorLog directives should be configured appropriately (1) permissions (1) via chmod Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass All files specified by ErrorLog directives should be owned by the appropriate user (1) user (1) via chown Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass All files specified by ErrorLog directives should be owned by the appropriate group (1) group (1) via chown Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass The Unix permissions of Apache's htpasswd file should be configured appropriately. (1) permissions (1) via chmod 1.19 Updating Ownership and Permissions p34 Rule Title: The web server’s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 A22 Rule ID: SV-36478r1_rule Vuln ID: V-2255 Severity: CAT II Class: Unclass The htpasswd should be owned by the appropriate user. (1) user (1) via chown 1.19 Updating Ownership and Permissions p34 Rule Title: The web server’s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 A22 Rule ID: SV-36478r1_rule Vuln ID: V-2255 Severity: CAT II Class: Unclass The htpasswd file should be owned by the appropriate group. (1) group (1) via chown 1.19 Updating Ownership and Permissions p34 Rule Title: The web server’s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 A22 Rule ID: SV-36478r1_rule Vuln ID: V-2255 Severity: CAT II Class: Unclass The Unix permissions for all directories specified by ScriptAlias directives should be configured appropriately. (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. Page 22-23 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by ScriptAlias directives should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by ScriptAlias directives should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Unix permissions for all directories specified by ScriptAliasMatch directives should be configured appropriately. (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. Page 22-23 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by ScriptAliasMatch directives should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by ScriptAliasMatch directives should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Unix permissions for all directories specified by DocumentRoot directives should be configured appropriately. (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. Page 22-23 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by DocumentRoot directives should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by DocumentRoot directives should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Unix permissions for all directories specified by Alias directives should be configured appropriately. (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. Page 22-23 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by Alias directives should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass All directories specified by Alias directives should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: Unclass The Unix permissions for all directories specified by ServerRoot directives should be configred appropriately (1) permissions (1) via chmod Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass All directories specified by ServerRoot directives should be owned by the appropriate user. (1) user (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass All directories specified by ServerRoot directives should be owned by the appropriate group. (1) group (1) via chown Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's configuration directory should be configred appropriately (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. Page 22-23 1.19 Updating Ownership and Permissions p34 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's configuration directory should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 1.19 Updating Ownership and Permissions p34 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's configuration directory should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 1.19 Updating Ownership and Permissions p34 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's /bin directory should be configred appropriately (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) Perform the following to set the permissions on the $APACHE_PREFIX directories, and then remove other read permissions on the bin directory and its contents: 23 | P a g e # chmod –R u=rwX,g=rX,o=rX $APACHE_PREFIX # chmod –R u=rwX,g=rX,o=X $APACHE_PREFIX/bin Page 22-23 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /bin directory should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /bin directory should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's /logs directory should be configred appropriately (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. Page 22-23 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /logs directory should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /logs directory should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's /htdocs directory should be configred appropriately (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. … exception in some cases may have a designated group with write access for the Apache web document root ($APACHE_PREFIX/htdocs) are likely to need a designated group to allow web content to be updated. Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /htdocs directory should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /htdocs directory should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) the Apache web document root ($APACHE_PREFIX/htdocs) are likely to need a designated group to allow web content to be updated (such as webupdate) through a change management process. Page 21 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Unix permissions of Apache's /cgi-bin directory should be configred appropriately (1) permissions (1) via chmod 1.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. Page 22-23 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /cgi-bin directory should be owned by the appropriate user. (1) user (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass Apache's /cgi-bin directory should be owned by the appropriate group. (1) group (1) via chown 1.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-22 Rule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: Unclass The Apache "StartServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: StartServers directive 1.13 Denial of Service Prevention Tuning p22 Rule Title: The httpd.conf StartServers directive must be set properly. STIG ID: WA000-WWA026 A22 Rule ID: SV-36645r1_rule Vuln ID: V-13727 Severity: CAT II Class: Unclass The Apache "MinSpareServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MinSpareServers directive 1.13 Denial of Service Prevention Tuning p22 Rule Title: The httpd.conf MinSpareServers directive must be set properly. STIG ID: WA000-WWA028 A22 Rule ID: SV-36646r1_rule Vuln ID: V-13728 Severity: CAT II Class: Unclass The Apache "MaxSpareServers" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MaxSpareServers directive 1.13 Denial of Service Prevention Tuning p22 Rule Title: The httpd.conf MaxSpareServers directive must be set properly. STIG ID: WA000-WWA030 A22 Rule ID: SV-36648r1_rule Vuln ID: V-13729 Severity: CAT III Class: Unclass The Apache "MaxClients" directive should be configured appropriately. (1) Number value (1) Apache configuration file: MaxClients directive 1.13 Denial of Service Prevention Tuning p22 Rule Title: The httpd.conf MaxClients directive must be set properly. STIG ID: WA000-WWA032 A22 Rule ID: SV-36649r1_rule Vuln ID: V-13730 Severity: CAT II Class: Unclass Apache's process ID (PID) file's Unix permissions should be configured appropriately. (1) permissions (1) via chmod 1.3.8 Pid File Security (Level 1, Scorable) Change the permissions so that the directory is only writable by root, or the user under which apache initially starts up (default is root), Page 25 Rule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 A22 Rule ID: SV-33222r1_rule Vuln ID: V-26305 Severity: CAT II Class: Unclass Apache's process ID (PID) file should be owned by the appropriate user. (1) user (1) via chown 1.3.8 Pid File Security (Level 1, Scorable) Change the ownership and group to be root:root, if not already. Page 25 Rule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 A22 Rule ID: SV-33222r1_rule Vuln ID: V-26305 Severity: CAT II Class: Unclass Apache's process ID (PID) file should be owned by the appropriate group. (1) group (1) via chown 1.3.8 Pid File Security (Level 1, Scorable) Change the ownership and group to be root:root, if not already. Page 25 Rule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 A22 Rule ID: SV-33222r1_rule Vuln ID: V-26305 Severity: CAT II Class: Unclass Apache's Scoreboard file's Unix permissions should be configured appropriately. (1) permissions (1) via chmod 1.3.9 ScoreBoard File Security (Level 1, Scorable) Change the permissions so that the directory is only writable by root, or the user under which apache initially starts up (default is root), Page 26 Rule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 A22 Rule ID: SV-33223r1_rule Vuln ID: V-26322 Severity: CAT II Class: Unclass Apache's scoreboard file should be owned by the appropriate user. (1) user (1) via chown 1.3.9 ScoreBoard File Security (Level 1, Scorable) Change the ownership and group to be root:root, if not already. Page 26 Rule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 A22 Rule ID: SV-33223r1_rule Vuln ID: V-26322 Severity: CAT II Class: Unclass Apache's scoreboard (PID) file should be owned by the appropriate group. (1) group (1) via chown 1.3.9 ScoreBoard File Security (Level 1, Scorable) Change the ownership and group to be root:root, if not already. Page 26 Rule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 A22 Rule ID: SV-33223r1_rule Vuln ID: V-26322 Severity: CAT II Class: Unclass The location of the Apache htpasswd file should be set correctly. (1) directory path (1) Directory of htpasswd file 1.5.10 Restrict Access to .ht* files (Level 1, Scorable) Also a common name for web password and group files is .htpasswd and .htgroup. Neither of these files should be placed in the document root Page 45 The Apache User directive should be set correctly. (1) user name (1) Apache configuration file: User directive 1.3.1 Run the Apache Web Server as a non-root user (Level 1, Scorable) Configure the Apache user and group in the Apache configuration file httpd.conf: User apache Page 19 1.6 Creating the Apache User and Group Accounts p14 The Apache Group directive should be set correctly. (1) group name (1) Apache configuration file: Group directive 1.3.1 Run the Apache Web Server as a non-root user (Level 1, Scorable) Configure the Apache user and group in the Apache configuration file httpd.conf: Group apache Page 19 1.6 Creating the Apache User and Group Accounts p14 The Apache ServerSignature directive should be set appropriately. (1) On/Off/EMail (1) Apache configuration file: ServerSignature directive 1.8.2 Limit Information in the Server Signature (Level 1, Scorable) Add or modify the ServerSignature directive as shown below to have the value of Off: ServerSignature Off Page 68-69 1.16 Software Information Leakage Protection p29 The Apache runtime rewriting engine should be enabled or disabled as appropriate. (1) off/on (1) Apache configuration file: RewriteEngine directive 1.5.9 Restrict HTTP Protocol Versions (Level 1, Scorable) Add the RewriteEngine directive to the configuration within the global server context with the value of on so that the rewrite engine is enabled. RewriteEngine On Page 43-44 1.11 Restrict HTTP Protocol Version p19 The Apache ErrorDocument directive should be set correctly for HTTP 400 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 400' directive 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 401 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 401' directive 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 403 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 403' directive 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 404 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 404' directive 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 405 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 405' directive 2.7 Additional Software Information Leakage Protection p50 The ApacheErrorDocument directive should be set correctly for HTTP 500 errors. (1) message/document (1) Apache configuration file: 'ErrorDocument 500' directive 2.7 Additional Software Information Leakage Protection p50 The Apache user account should be locked or unlocked as appropriate. (1) locked/unlocked (1) via /etc/passwd 1.3.3 Lock the Apache User Account (Level 1, Scorable) Use the passwd command to lock the apache account: # passwd -l apache Page 21 The Apache user account should be allowed root privileges as appropriate. (1) allowed/not allowed (1) via /etc/passwd 1.3.1 Run the Apache Web Server as a non-root user (Level 1, Scorable) Although Apache typically is started with root privileges in order to listen on port 80 and 443, it can and should run as another non-root user in order to perform the web services. Page 19 1.6 Creating the Apache User and Group Accounts p14 The group membership of the Apache user account should be set correctly. (1) group (1) via /etc/group 1.3.1 Run the Apache Web Server as a non-root user (Level 1, Scorable) Although Apache typically is started with root privileges in order to listen on port 80 and 443, it can and should run as another non-root user in order to perform the web services. Page 19 1.6 Creating the Apache User and Group Accounts p14 The ownership of the Apache /etc/httpd/conf/passwd file should be set correctly. (1) owner (1) via chown 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /etc/httpd/conf/passwd file should be set correctly. (1) group (1) via chgrp 1.19 Updating Ownership and Permissions p34 The permissions for the Apache /etc/httpd/conf/passwd file should be set correctly. (1) permissions (1) via chown 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /var/www/html file should be set correctly. (1) owner (1) via chown 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /var/www/html file should be set correctly. (1) group (1) via chgrp 1.19 Updating Ownership and Permissions p34 The permissions for the Apache/var/www/html file should be set correctly. (1) permissions (1) via chown 1.19 Updating Ownership and Permissions p34 The ownership of log files in Apache /var/log/httpd/ should be set correctly. (1) owner (1) via chown 1.3.6 Core Dump Directory Security (Level 1, Scorable) must be owned by root and have a group ownership of the Apache group (as defined via the Group directive) # chown root:apache /var/log/httpd Page 23 1.19 Updating Ownership and Permissions p34 The group membership of any Apache files in /var/log/httpd/ should be set correctly. (1) group (1) via chgrp 1.3.6 Core Dump Directory Security (Level 1, Scorable) must be owned by root and have a group ownership of the Apache group (as defined via the Group directive) # chown root:apache /var/log/httpd Page 23 1.19 Updating Ownership and Permissions p34 The permissions of any Apache files in /var/log/httpd/ should be set correctly. (1) permissions (1) via chown 1.3.6 Core Dump Directory Security (Level 1, Scorable) must have no read-write-search access permission for other users. # chmod o-rwx /var/log/httpd Page 23 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /etc/httpd/conf.d file should be set correctly. (1) owner (1) via chown 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /etc/httpd/conf.d file should be set correctly. (1) group (1) via chgrp 1.19 Updating Ownership and Permissions p34 The permissions for the Apache /etc/httpd/conf.d file should be set correctly. (1) permissions (1) via chown 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /usr/sbin/httpd file should be set correctly. (1) owner (1) via chown 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /usr/sbin/httpd file should be set correctly. (1) group (1) via chgrp 1.19 Updating Ownership and Permissions p34 The permissions for the Apache /usr/sbin/httpd file should be set correctly. (1) permissions (1) via chown 1.19 Updating Ownership and Permissions p34 The ownership of the Apache /usr/sbin/apachectl file should be set correctly. (1) owner (1) via chown 1.19 Updating Ownership and Permissions p34 The group membership of the Apache /usr/sbin/apachectl file should be set correctly. (1) group (1) via chgrp 1.19 Updating Ownership and Permissions p34 The permissions for the Apache /usr/sbin/apachectl file should be set correctly. (1) permissions (1) via chown 1.19 Updating Ownership and Permissions p34 The "FollowSymLinks" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) FollowSymLinks / -FollowSymLinks / +FollowSymLinks / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) 1.5.2 Restrict Options for the Web Root Directory (Level 1, Scorable) Add or modify any existing Options directive to have a value of None or Multiviews, if multiviews are needed. Page 34 1.8 Directory Functionality Control with the Options Directive p16 The"Includes" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) Includes / -Includes / +Includes / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) 1.5.2 Restrict Options for the Web Root Directory (Level 1, Scorable) Add or modify any existing Options directive to have a value of None or Multiviews, if multiviews are needed. Page 34 1.8 Directory Functionality Control with the Options Directive p16 The "IncludesNOEXEC" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) IncludesNoExec / -IncludesNoExec / +IncludesNoExec / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) 1.5.2 Restrict Options for the Web Root Directory (Level 1, Scorable) Add or modify any existing Options directive to have a value of None or Multiviews, if multiviews are needed. Page 34 1.8 Directory Functionality Control with the Options Directive p16 The "Indexes" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) Indexes / -Indexes / +Indexes / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) 1.5.2 Restrict Options for the Web Root Directory (Level 1, Scorable) Add or modify any existing Options directive to have a value of None or Multiviews, if multiviews are needed. Page 34 1.8 Directory Functionality Control with the Options Directive p16 The"MultiViews" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) MultiViews / -MultiViews / +MultiViews / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) 1.5.2 Restrict Options for the Web Root Directory (Level 1, Scorable) Add or modify any existing Options directive to have a value of None or Multiviews, if multiviews are needed. Page 34 1.8 Directory Functionality Control with the Options Directive p17 The "ExecCGI" setting of the DocumentRoot should be enabled or disabled as appropriate. (1) ExecCGI / -ExecCGI/ +ExecCGI / None (1) Apache configuration file: Options directive (in DocumentRoot Directory directive) 1.5.2 Restrict Options for the Web Root Directory (Level 1, Scorable) Add or modify any existing Options directive to have a value of None or Multiviews, if multiviews are needed. Page 34 1.8 Directory Functionality Control with the Options Directive p16 The Order directive for all DocumentRoot directives should be configured appropriately. (1) Allow,Deny / Deny,Allow / Mutual-failure (1) Apache configuration file: Order directive (in DocumentRoot Directory directive) 1.5.7 Limit HTTP Request Methods (Level 1, Scorable) Search for the <Directory> directive on the document root directory … Ensure that the access control order within the <Directory> directive is allow, deny. Order allow,deny Page 41 1.7 Restricting Access p15 The Order directive for the specified Directory directive should be configured appropriately. (1) Allow,Deny / Deny,Allow / Mutual-failure (1) TARGET: Directory directive (2) Apache configuration file: Order directive 1.4.2 Allow Appropriate Access to Web Content (Level 1, Not Scorable) Search the Apache configuration files (httpd.conf and any included configuration files) to find all <Directory> and <Location> elements … Add a single Order directive and set the value to deny, allow. Page 28-29 1.7 Restricting Access p15 The Allow directive for the specified Directory directive should be configured appropriately. (1) all | hostname/IP address/environment variable (1) Allow directive 1.4.2 Allow Appropriate Access to Web Content (Level 1, Not Scorable) Search the Apache configuration files (httpd.conf and any included configuration files) to find all <Directory> and <Location> elements … Include the appropriate Allow and Deny directives, with values that are appropriate for the purposes of the directory. Page 28-29 1.7 Restricting Access p14-15 The Deny directive for the specified Directory directive should be configured appropriately. (1) all | hostname/IP address/environment variable (1) Deny directive 1.4.2 Allow Appropriate Access to Web Content (Level 1, Not Scorable) Search the Apache configuration files (httpd.conf and any included configuration files) to find all <Directory> and <Location> elements … Include the appropriate Allow and Deny directives, with values that are appropriate for the purposes of the directory. Page 28-29 1.7 Restricting Access p14-15 testcgi should be installed as appropriate. (1) exist/not exist (1) cgi-script directory 1.5.6 Remove Default CGI Content test-cgi (Level 1, Scorable) Remove the test-cgi default CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/test-cgi Page 39-40 1.18 Remove Default Content p33 The "Allow basic authentication" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AllowBasicAuthentication |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Allow simple passwords" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AllowSimplePasswords |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Allow unmanaged devices" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AllowUnmanagedDevices |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure dial plan security" setting should be configured correctly. Unsecured, SIPSecured, Secured (1) Powershell: Get-ExchangeConfiguration -configType DialPlanSecure |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure login authentication for IMAP4" setting should be configured correctly. PlainTextLogin, PlainTextAuthentication, SecureLogin (1) Powershell: Get-ExchangeConfiguration -configType IMAP4LoginType |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure login authentication for POP3" setting should be configured correctly. PlainTextLogin, PlainTextAuthentication, SecureLogin (1) Powershell: Get-ExchangeConfiguration -configType POP3LoginType |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure Protocol logging" setting should be configured correctly. Verbose, None (1) Powershell: Get-ExchangeConfiguration -configType ProtocolLogging |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure Sender Filtering" setting should be configured correctly. StampStatus, Reject (1) Powershell: Get-ExchangeConfiguration -configType SenderFiltering |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Do not permamently delete items until the database has been backed up" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RetainDeletedItemsUntilBackup |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable automatic forwards to remote domains" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AutomaticForwardsRemoteDomains |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable automatic replies to remote domains" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AutomaticRepliesRemoteDomains |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable non-delivery reports to remote domains" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType NonDeliveryReportsRemoteDomains |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable OOF messages to remote domains" setting should be configured correctly. External, ExternalLegacy, None, and InternalLegacy (1) Powershell: Get-ExchangeConfiguration -configType OofMessagesRemoteDomains |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable S/MIME for OWA 2007" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType SMimeEnabled2007 |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable Sender ID agent" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType SenderID |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable Sender Reputation" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType SenderReputation |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enforce Password History" setting should be configured correctly. 0 - 50 passwords (1) Powershell: Get-ExchangeConfiguration -configType EnforcePasswordHistory |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "External send connector authentication: DNS Routing" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType ExternalSendConnectorAuthDNSRoutingEnabled |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "External send connector authentication: Domain Security" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType ExternalSendConnectorAuthDomainSecureEnabled |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "External send connector authentication: Ignore Start TLS" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType ExternalSendConnectorAuthIgnoreSTARTTLS |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Keep deleted mailboxes for the specified number of days" setting should be configured correctly. 0 - 24855 Days (1) Powershell: Get-ExchangeConfiguration -configType KeepDeletedMailboxes |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Mailbox quotas: Issue warning at" setting should be configured correctly. 0 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType MailboxApproachingStorageLimitWarning |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Mailbox quotas: Prohibit send and receive at" setting should be configured correctly. 0 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType ProhibitSendReceiveQuota |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Mailbox quotas: Prohibit send at" setting should be configured correctly. 0 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType ProhibitSendQuota |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum number of recipients - organization level" setting should be configured correctly. 0 - 2147483647 recipients (1) Powershell: Get-ExchangeConfiguration -configType MaximumNumberRecipients |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum receive size - connector level" setting should be configured correctly. 64 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType MaximumReceiveSizeConnector |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum receive size - organization level" setting should be configured correctly. 0 - 2097151 KB (1) Powershell: Get-ExchangeConfiguration -configType MaximumReceiveSizeOrganization |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum send size - connector level" setting should be configured correctly. 64 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType MaximumSendSizeConnector |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum send size - organization level" setting should be configured correctly. 0 - 2097151 KB (1) Powershell: Get-ExchangeConfiguration -configType MaximumSendSizeOrganization |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Message tracking logging - Mailbox" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType MessageTrackingLoggingMailbox |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Message tracking logging - Transport" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType MessageTrackingLoggingTransport |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Active Directory Topology" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Active Directory Topology (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeADTopology\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange ADAM" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange ADAM (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADAM_MSExchange\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Anti-spam Update" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Anti-spam Update (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeAntispamUpdate\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Credential Service (Exchange 2007)" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Credential Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EdgeCredentialSvc\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange EdgeSync Service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange EdgeSync Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeEdgeSync\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange File Distribution" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange File Distribution (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeFDS\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange IMAP4" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange IMAP4 (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIMAP4\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Information Store" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Information Store (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Mail Submission Service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Mail Submission Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMailSubmission\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Mailbox Assistants" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Mailbox Assistants (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMailboxAssistants\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Monitoring" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Monitoring (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMonitoring\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange POP3" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange POP3 (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangePOP3\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Replication Service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Replication Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeRepl\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Search Indexer" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Search Indexer (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSearch\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Server Extension for Windows Server Backup" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Server Extension for Windows Server Backup (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wsbexchange\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Service Host" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Service Host (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Speech Engine Service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Speech Engine Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSSpeechService\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange System Attendant" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange System Attendant (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Transport" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Transport (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransport\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Transport Log Search" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Transport Log Search (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransportLogSearch\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Unified Messaging" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Unified Messaging (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeUM\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Search (Exchange)" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Search (Exchange) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msftesql-Exchange\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Minimum password length" setting should be configured correctly. 1 - 16 (1) Powershell: Get-ExchangeConfiguration -configType MinimumPasswordLength |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Mount database at startup" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType MountDatabaseAtStartup |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Number of attempts allowed" setting should be configured correctly. 4 - 16 Attempts (1) Powershell: Get-ExchangeConfiguration -configType NumberAttemptsAllowed |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Password Expiration" setting should be configured correctly. 1:00:00:00 - 730:00:00:00 Days (1) Powershell: Get-ExchangeConfiguration -configType PasswordExpiration |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Refresh interval" setting should be configured correctly. 0 - 596523 Hours (1) Powershell: Get-ExchangeConfiguration -configType RefreshInterval |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require alphanumeric password" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RequireAlphanumericPassword |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require Client Certificates" setting should be configured correctly. Ignore, Accepted, or Required (1) Powershell: Get-ExchangeConfiguration -configType RequireClientCertificates |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require encryption on device" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RequireEncryptionOnDevice |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require password" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RequirePassword |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Retain deleted items for the specified number of days" setting should be configured correctly. 0 - 30 Days (1) Powershell: Get-ExchangeConfiguration -configType DeletedItemRetention |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Time without user input before password must be re-entered" setting should be configured correctly. 1 - 60 Minutes (1) Powershell: Get-ExchangeConfiguration -configType MaxInactivityTimeDeviceLock |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Turn on Connectivity logging" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType ConnectivityLogging |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Turn on script execution" setting should be configured correctly. Restricted/ AllSigned/ RemoteSigned/ Unrestricted (1) Powershell: Get-ExchangeConfiguration -configType ExecutionPolicy |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2007 SP3 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Allow access to voicemail without requiring a PIN" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType PinlessAccessToVoicemail |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Allow basic authentication" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AllowBasicAuthentication |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Allow simple passwords" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AllowSimplePasswords |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Allow unmanaged devices" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AllowUnmanagedDevices |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure dial plan security" setting should be configured correctly. Unsecured, SIPSecured, Secured (1) Powershell: Get-ExchangeConfiguration -configType DialPlanSecure |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure login authentication for IMAP4" setting should be configured correctly. PlainTextLogin, PlainTextAuthentication, SecureLogin (1) Powershell: Get-ExchangeConfiguration -configType IMAP4LoginType |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure login authentication for POP3" setting should be configured correctly. PlainTextLogin, PlainTextAuthentication, SecureLogin (1) Powershell: Get-ExchangeConfiguration -configType POP3LoginType |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure Protocol logging" setting should be configured correctly. Verbose, None (1) Powershell: Get-ExchangeConfiguration -configType ProtocolLogging |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure Sender Filtering" setting should be configured correctly. StampStatus, Reject (1) Powershell: Get-ExchangeConfiguration -configType SenderFiltering |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Configure startup mode" setting should be configured correctly. TCP, Dual, TLS (1) Powershell: Get-ExchangeConfiguration -configType UMStartupMode |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Do not permamently delete items until the database has been backed up" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RetainDeletedItemsUntilBackup |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable automatic forwards to remote domains" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AutomaticForwardsRemoteDomains |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable automatic replies to remote domains" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AutomaticRepliesRemoteDomains |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable non-delivery reports to remote domains" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType NonDeliveryReportsRemoteDomains |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable OOF messages to remote domains" setting should be configured correctly. External, ExternalLegacy, None, and InternalLegacy (1) Powershell: Get-ExchangeConfiguration -configType OofMessagesRemoteDomains |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable S/MIME for OWA 2010" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType SMimeEnabled2010 |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable Sender ID agent" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType SenderID |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enable Sender Reputation" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType SenderReputation |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Enforce Password History" setting should be configured correctly. 0-50 passwords (1) Powershell: Get-ExchangeConfiguration -configType EnforcePasswordHistory |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "External send connector authentication: DNS Routing" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType ExternalSendConnectorAuthDNSRoutingEnabled |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "External send connector authentication: Domain Security" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType ExternalSendConnectorAuthDomainSecureEnabled |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "External send connector authentication: Ignore Start TLS" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType ExternalSendConnectorAuthIgnoreSTARTTLS |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Keep deleted mailboxes for the specified number of days" setting should be configured correctly. 0 - 24855 days (1) Powershell: Get-ExchangeConfiguration -configType KeepDeletedMailboxes |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Mailbox quotas: Issue warning at" setting should be configured correctly. 0 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType MailboxApproachingStorageLimitWarning |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Mailbox quotas: Prohibit send and receive at" setting should be configured correctly. 0 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType ProhibitSendReceiveQuota |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Mailbox quotas: Prohibit send at" setting should be configured correctly. 0 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType ProhibitSendQuota |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum number of recipients - organization level" setting should be configured correctly. 0 - 2147483647 recipients (1) Powershell: Get-ExchangeConfiguration -configType MaximumNumberRecipients |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum receive size - connector level" setting should be configured correctly. 64 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType MaximumReceiveSizeConnector |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum receive size - organization level" setting should be configured correctly. 0 - 2097151 KB (1) Powershell: Get-ExchangeConfiguration -configType MaximumReceiveSizeOrganization |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum send size - connector level" setting should be configured correctly. 64 - 2147483647 KB (1) Powershell: Get-ExchangeConfiguration -configType MaximumSendSizeConnector |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Maximum send size - organization level" setting should be configured correctly. 0 - 2097151 KB (1) Powershell: Get-ExchangeConfiguration -configType MaximumSendSizeOrganization |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Message tracking logging - Mailbox" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType MessageTrackingLoggingMailbox |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Message tracking logging - Transport" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType MessageTrackingLoggingTransport |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Active Directory Topology" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Active Directory Topology (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeADTopology\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange ADAM" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange ADAM (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADAM_MSExchange\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Address Book" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Address Book (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeAB\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Anti-spam Update" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Anti-spam Update (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeAntispamUpdate\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Credential Service (Exchange 2010)" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Credential Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeEdgeCredential\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange EdgeSync Service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange EdgeSync Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeEdgeSync\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange File Distribution" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange File Distribution (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeFDS\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Forms-Based Authentication service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Forms-Based Authentication service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeFBA\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange IMAP4" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange IMAP4 (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIMAP4\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Information Store" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Information Store (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Mail Submission Service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Mail Submission Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMailSubmission\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Mailbox Assistants" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Mailbox Assistants (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMailboxAssistants\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Mailbox Replication" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Mailbox Replication (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMailboxReplication\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Monitoring" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Monitoring (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMonitoring\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange POP3" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange POP3 (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangePOP3\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Protected Service Host" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Protected Service Host (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeProtectedServiceHost\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Replication Service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Replication Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeRepl\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange RPC Client Access" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange RPC Client Access (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeRPC\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Search Indexer" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Search Indexer (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSearch\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Server Extension for Windows Server Backup" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Server Extension for Windows Server Backup (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wsbexchange\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Service Host" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Service Host (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Speech Engine Service" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Speech Engine Service (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSSpeechService\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange System Attendant" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange System Attendant (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Throttling" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Throttling (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeThrottling\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Transport" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Transport (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransport\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Transport Log Search" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Transport Log Search (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransportLogSearch\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Exchange Unified Messaging" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Exchange Unified Messaging (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeUM\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The machine setting for the startup type of the "Microsoft Search (Exchange)" service should be configured correctly. Automatic = 2, Manual=3, Disabled=4 (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Search (Exchange) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msftesql-Exchange\Start Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Minimum password length" setting should be configured correctly. 1 to 16 characters (1) Powershell: Get-ExchangeConfiguration -configType MinimumPasswordLength |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Mount database at startup" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType MountDatabaseAtStartup |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Number of attempts allowed" setting should be configured correctly. 4 - 16 Attempts (1) Powershell: Get-ExchangeConfiguration -configType NumberAttemptsAllowed |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Password Expiration" setting should be configured correctly. 1:00:00:00 - 730:00:00:00 Days (1) Powershell: Get-ExchangeConfiguration -configType PasswordExpiration |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Refresh interval" setting should be configured correctly. 0 - 596523 Hours (1) Powershell: Get-ExchangeConfiguration -configType RefreshInterval |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require alphanumeric password" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RequireAlphanumericPassword |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require Client Certificates" setting should be configured correctly. Ignore, Accepted, or Required (1) Powershell: Get-ExchangeConfiguration -configType RequireClientCertificates |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require client MAPI encryption" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RequireClientMAPIEncryption |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require encryption on device" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RequireEncryptionOnDevice |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Require password" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType RequirePassword |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Retain deleted items for the specified number of days" setting should be configured correctly. 0 - 30 Days (1) Powershell: Get-ExchangeConfiguration -configType DeletedItemRetention |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Time without user input before password must be re-entered" setting should be configured correctly. 1 - 60 Minutes (1) Powershell: Get-ExchangeConfiguration -configType MaxInactivityTimeDeviceLock |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Turn on Administrator Audit Logging" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType AdministratorAuditLogging |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Turn on Connectivity logging" setting should be configured correctly. True/False (1) Powershell: Get-ExchangeConfiguration -configType ConnectivityLogging |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID The "Turn on script execution" setting should be configured correctly. Restricted/ AllSigned/ RemoteSigned/ Unrestricted (1) Powershell: Get-ExchangeConfiguration -configType ExecutionPolicy |Select-Object -Property SettingData Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Exchange Server 2010 SP2 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID /export/home should be configured on an appropriate filesystem logical volume logical volume via fstab 10.8.10.4.2.1 (5) /var should be configured on an appropriate filesystem logical volume logical volume via fstab 10.8.10.4.2.1 (5) /opt should be configured on an appropriate filesystem logical volume logical volume via fstab 10.8.10.4.2.1 (5) The shell for the root account should be located on the appropriate filesystem filesystem via /etc/passwd 10.8.10.4.2.1 (6) Core dump size limits should be set appropriately Size (0 to disable core dumps) via /etc/security/limits via ulimit 10.8.10.4.4 (3) The read-only SNMP community string should be set appropriately. string via /etc/snmp.conf 10.8.10.5.1 (1) c) The read/write SNMP community string should be set appropriately. string via /etc/snmp.conf 10.8.10.5.1 (1) c) Password policy should ban or allow usernames or UIDs in passwords as appropriate ban/allow 10.8.10.5.1 a) Password policy should ban or allow words found in a dictionary as appropriate. ban/allow via /etc/security/user 10.8.10.5.1 (2) a) Password policy should enforce the correct amount of special characters number of special characters via /etc/security/user 10.8.10.5.1 (2) a) Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate. enforce/not enforce via /etc/security/user 10.8.10.5.1 (2) a) The minimum password age should be set as appropriate number of days via /etc/security/user 10.8.10.5.1 (2) b) The minimum required password length should be set as appropriate number of characters via /etc/security/user 10.8.10.5.1 (2) c) Password history should be saved for an appropriate number of password changes number of password changes via /etc/security/user 10.8.10.5.1 (2) d) The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate number of consecutive failed login attempts via /etc/security/user 10.8.10.5.1 (2) e) Login access to accounts without passwords should be enabled or disabled as appropriate enabled/disabled via passwd via /etc/shadow 10.8.10.5.1 (2) f) New users should be required or not required to change their password on first login as appropriate required/not required via /etc/security/passwd 10.8.10.5.1 (2) g) Access to single-user mode (maintainence mode) should require the root password or not as appropriate required/not required 10.8.10.5.1 (3) The delay between failed logins should be set as appropriate number of seconds 10.8.10.5.1 (5) All files should be owned by an existing account or not as appropriate. existing account required / existing account not required via chown 10.8.10.5.2 (3) All files should be owned by an existing group or not as appropriate. existing group required / existing group not required via chgrp via chown 10.8.10.5.2 (3) The console login banner should be set appropriately. banner text or null via /etc/security/login.cfg via /etc/motd 10.8.10.5.2 (5) a) The SSH login banner should be set appropriately. banner text or null via sshd.conf 10.8.10.5.2 (5) b) The telnet login banner should be set appropriately. banner text or null via telnetd 10.8.10.5.2 (5) c) The ftp login banner should be set appropriately. banner text or null 10.8.10.5.2 (5) d) The graphical login banner should be set appropriately. banner text or null via Xwindows 10.8.10.5.2 (5) e) Accounts other than root should be allowed to have the UID 0 or not as appropriate allowed/not allowed via passwd via /etc/passwd 10.8.10.5.2.1 (2) a) Accounts other than root and locked system accounts should be allowed to have a GID of 0 or not as appropriate allowed/not allowed via passwd via /etc/passwd 10.8.10.5.2.1 (2) b) Each account should be assigned a unique UID or not as appropriate unique/not unique via /etc/passwd 10.8.10.5.2.4 (3) The ftp account should exist or not as appropriate exist/not exist via /etc/passwd 10.8.10.5.2.4 (9) Login accounts should include an appropriate GECOS identifier or no GECOS identifier GECOS value, null via /etc/passwd 10.8.10.5.2.4.1 (1) The screen lock should activate after an appropriate period of inactivity number of minutes via Xscreensaver via dtsession 10.8.10.5.2.5 (1) File permissions should be set appropriately for all shell executables. permissions via chmod 10.8.10.5.2.6 (1) Remote (serial) consoles should be enabled or disabled as appropriate. enabled/disabled via inittab 10.8.10.5.2.6 (3) Root logins should be restricted to the console or not as appropriate. restricted/not restricted 10.8.10.5.2.6 (4) .netrc files should exist or not as appropriate for all users. exist/not exist via filesystem 10.8.10.5.2.6 (6) .rhosts files should exist or not as appropriate for all users. exist/not exist via filesystem 10.8.10.5.2.6 (6) .shosts files should exist or not as appropriate for all users. exist/not exist via filesystem 10.8.10.5.2.6 (6) The /etc/hosts.equiv file should exist or not as appropriate. exist/not exist via filesystem 10.8.10.5.2.6 (6) The /etc/shells file should exist or not as appropriate exist/not exist via /etc/shells 10.8.10.5.2.6 (11) Shells referenced in /etc/passwd should be included in /etc/shells or not as appropriate included/not included via /etc/shells 10.8.10.5.2.6 (12) The use of NIS special characters (+ or -) in the first field of the /etc/passwd file should be allowed or disallowed as appropriate. allowed/not allowed via Text editor 10.8.10.5.2.6 (7) The use of NIS special characters (+ or -) in the first field of the /etc/shadow file should be allowed or disallowed as appropriate. allowed/not allowed via Text editor 10.8.10.5.2.6 (7) The use of NIS special characters (+ or -) in the first field of the /etc/group file should be allowed or disallowed as appropriate. allowed/not allowed via Text editor 10.8.10.5.2.6 (7) Groups referenced in /etc/passwd should be included in /etc/group or not as appropriate. included/not included via /etc/group 10.8.10.5.2.6 (15) The home directory for the root account should be set appropriately. path via /etc/passwd 10.8.10.5.2.6 (16) The home directory for each user account should be set appropriately. path via /etc/passwd via /usr/sbin/useradd via /etc/default/useradd 10.8.10.5.2.6 (17) Home directories referenced in /etc/passwd should exist or not as appropriate exist/not exist via filesystem 10.8.10.5.2.6 (18) All device files should be located inside an appropriate path path via filesystem 10.8.10.5.2.6 (24) The ntpd service should be enabled or disabled as appropriate. enabled/disabled via RC scripts 10.8.10.5.3 (3) The Network Time Protocol (ntp) synchronization server should be set appropriately. timeserver via ntpd.conf The default gateway should be set appropriately. IP address/disabled via /etc/default/route.conf via /etc/gated.conf 10.8.10.5.4.1 (4) The inetd service should be enabled or disabled as appropriate. enabled/disabled via RC scripts 10.8.10.5.4.1 (5) echo service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #1 netstat service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #2 rcp service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #3 chargen service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #4 finger service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #5 tftpd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #6 walld service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #7 rstatd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #8 sprayd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #9 rusersd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #10 rlogin service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #11 rsh service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #12 ftp service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #13 telnet service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #14 DEPRECATED. inn service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #16 uucp service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #17 rexec service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #18 font-service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #20 imap2 service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #21 pop3 service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #22 ident service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #23 rexd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #24 daytime service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #26 dtspc (cde-spc) service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #27 rquotad service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #28 cmsd service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #29 tooltalk service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #30 xdmcp service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #31 discard service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #32 DEPRECATED. vino-server service should be enabled or disabled as appropriate enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1 (11) #34 The bind service should be enabled or disabled as appropriate. enabled/disabled via inetd via inetd.conf 10.8.10.5.4.1.1 (2) The version string reported by the bind service should be configured appropriately. string via /etc/named.conf 10.8.10.5.4.1.1 (5) The nfsd service should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.1.5 (1) The mountd service should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.1.5 (1) The statd service should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.1.5 (1) The lockd service should be enabled or disabled as appropriate enabled/disabled via RC scripts 10.8.10.5.4.1.5 (1) NFS should be configured with appropriate authentication methods list of auth methods via NFSvia via /etc/exports 10.8.10.5.4.1.5 (1) f) The read-only (ro) option should be enabled or disabled as appropriate for all NFS exports. enabled/disabled via /etc/exports 10.8.10.5.4.1.5 (1) g) The nosuid option should be enabled or disabled for all NFS mounts as appropriate enabled/disabled via /etc/fstab 10.8.10.5.4.1.5 (1) i) The nosgid option should be enabled or disabled for all NFS mounts as appropriate enabled/disabled via /etc/fstab 10.8.10.5.4.1.5 (1) i) Sendmail should be enabled or disabled as appropriate enabled/disabled via inetd via RC scripts 10.8.10.5.4.2.2 (1) The sendmail banner should be set appropriately. string via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (3) The decode sendmail alias should be enabled or disabled as appropriate. enabled/disabled via /etc/aliases via /usr/lib/aliases 10.8.10.5.4.2.2 (4) c) .forward files should be allowed or disallowed as appropriate for all users allow/disallow via rm 10.8.10.5.4.2.2 (4) e) Programs executed through the aliases file should be owned by an appropriate user user via chown 10.8.10.5.4.2.2 (4) f) Programs executed through the aliases file should reside a directory with an appropriate user owner user via chown 10.8.10.5.4.2.2 (4) f) Sendmail vrfy command should be allowed or not as appropriate allow/disallow via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (4) g) Sendmail expn command should be allowed or not as appropriate allow/disallow via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (4) h) Sendmail should be configured with an appropriate logging level logging level via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (4) i) Sendmail help command should be allowed or not as appropriate allow/disallow via sendmail via /etc/mail/sendmail.cf 10.8.10.5.4.2.2 (4) k) NIS+ server should operate at an appropriate security level security level via NIS+ 10.8.10.5.4.2.3 (1) b) X-Windows should be enabled or disabled as appropriate enabled/disabled via Xwindows 10.8.10.5.4.2.4 (1) Authorized X-clients should be listed or not in the X*.hosts file as appropriate listed/not listed via /etc/X*.hosts 10.8.10.5.4.2.4 (2) b) X-Windows should write .Xauthority files to users' home directories or not as appropriate write/not write via xdm via gdm via kdm 10.8.10.5.4.2.4 (2) d) X11 forwarding via SSH should be enabled or disabled as appropriate. enabled/disabled via sshd_config 10.8.10.5.4.2.4 (2) f) Samba should be enabled or disabled as appropriate enabled/disabled via smbd via RC scripts 10.8.10.5.4.2.6 (1) Samba 'hosts allow' option should be configured with an appropriate set of networks list of networks via smbd via smb.conf 10.8.10.5.4.2.6 (3) a) Samba 'security option' option should be set as appropriate via smbd via smb.conf 10.8.10.5.4.2.6 (3) b) Samba 'encrypt' passwords option should be set as appropriate yes/no via smbd via smb.conf 10.8.10.5.4.2.6 (3) c) Samba 'smb passwd file' option should be set to an appropriate password file or no password file file/nothing via smbd via smb.conf 10.8.10.5.4.2.6 (3) d) IPv6 should be enabled or disabled as appropriate enabled/disabled via ifconfig 10.8.10.5.4.3 (1) /dev/kmem file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #9 /dev/mem file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #10 /dev/null file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #11 resolv.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #13 /etc/named.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #14 /usr/bin/at file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #25 /usr/bin/rdist file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #26 /usr/sbin/sync file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #27 Superuser account home directories' permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #29 /etc/samba/smb.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #31 smbpassword executable permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #32 Aliases file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #34 File permissions should be set as appropriate for the log file configured to capture critical sendmail messages. permissions via chmod 10.8.10-1 A.1 1) #35 All files executed through /etc/aliases file entries should have file permissions set appropriately permissions via chmod 10.8.10-1 A.1 1) #36 /bin/csh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #37 /bin/jsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #38 /bin/ksh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #39 The /bin/rsh file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #40 /bin/sh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #41 /bin/bash file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #42 /sbin/csh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #43 /sbin/jsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #44 /sbin/ksh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #45 The /sbin/rsh file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #46 /sbin/sh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #47 /sbin/bash file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #48 /usr/bin/csh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #49 /usr/bin/jsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #50 /usr/bin/ksh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #51 The /usr/bin/rsh file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #52 /usr/bin/sh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #53 snmpd.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #56 /tmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #57 /usr/tmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #58 .Xauthority file permissions should be set appropriately for all users. permissions via chmod 10.8.10-1 A.1 1) #60 /etc/aliases file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #61 /etc/cron.d/at.allow file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #62 /etc/cron.d/cron.allow file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #63 /etc/csh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #64 /etc/default/* file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #65 /etc/default/login file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #66 The /etc/ftpusers file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #69 /etc/host.lpd file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #70 /etc/hostname* file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #71 /etc/hosts file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #72 /etc/inetd.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #73 /etc/issue file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #75 /etc/jsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #76 /etc/ksh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #77 /etc/mail/aliases file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #78 /etc/motd file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #79 /etc/netconfig file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #80 /etc/notrouter file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #81 /etc/pam.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #82 /etc/passwd file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #83 The /etc/rsh file should exist or not as appropriate exist/not exist via filesystem 10.8.10-1 A.1 1) #84 /etc/security file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #85 /etc/services file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #86 /etc/sh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #87 /etc/shadow file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #88 /etc/syslog.conf file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #89 DEPRECATED. /etc/fstab file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #91 DEPRECATED. /var/adm/loginlog file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #93 /var/adm/messages file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #94 /var/adm/sulog file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #95 /var/adm/utmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #96 /var/adm/wtmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #97 /var/adm/authlog file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #98 /var/adm/syslog file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #99 /var/mail file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #100 /var/tmp file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #101 /usr/lib/pt_chmod file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #103 /usr/lib/embedded_us file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #104 /usr/lib/sendmail file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #105 /usr/kerberos/bin/rsh file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #107 /var/spool/mail file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #108 smbpassword file permissions should be set appropriately permissions via chmod 10.8.10-1 A.1 1) #109 System files should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #8 System files should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #8 Default/skeleton dot files should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #9 Default/skeleton dot files should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #9 Global initialization files should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #10 Global initialization files should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #10 Home directories should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #11 Home directories should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #11 inetd.conf file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #12 inetd.conf file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #12 /etc/services file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #16 /etc/services file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #16 /etc/notrouter file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #18 /etc/notrouter file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #18 DEPRECATED. DEPRECATED. /etc/passwd file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #35 /etc/passwd file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #35 /etc/shadow file should be owned by an appropriate user list of users via chown 10.8.10-1 A.1 2) #36 /etc/shadow file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-1 A.1 2) #36 Environmental variable PATH for superuser accounts should or should not contain world-writable files as appropriate should/should not via chmod via profile 10.8.10-1 A.2 1) #1 Environmental variable PATH for superuser accounts should not contain the current directory as the first or last entry should/should not via local init files 10.8.10-1 A.2 1) #2 The current directory should or should not be added to the environmental variable PATH by global initialization files as appropriate should/should not via local init files 10.8.10-1 A.2 1) #3 The current directory should or should not be added to the environmental variable PATH by local initialization files as appropriate should/should not via local init files 10.8.10-1 A.2 1) #4 DEPRECATED. The system umask should be set appropriately umask via global init files 10.8.10-1 A.2 1) #8 The user umask should be set appropriately umask via local init files 10.8.10-1 A.2 1) #8 DEPRECATED. /etc/rc.config.d/auditing file should be owned by an appropriate user list of users via chown 10.8.10-4 D.1 1) #2 DEPRECATED. /etc/init.d file should be owned by an appropriate user list of users via chown 10.8.10-4 D.1 1) #5 /etc/hosts.lpd file should be owned by an appropriate user list of users via chown 10.8.10-4 D.1 1) #6 DEPRECATED. /etc/rc.config.d/auditing file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-4 D.1 1) #2 DEPRECATED. /etc/init.d file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-4 D.1 1) #5 /etc/hosts.lpd file should be owned by an appropriate group list of groups via chgrp via chown 10.8.10-4 D.1 1) #6 DEPRECATED. /etc/rc.config.d/auditing file permissions should be set appropriately permissions via chmod 10.8.10-4 D.1 1) #2 DEPRECATED in favor of CCE-8638-9, CCE-8647-0, and CCE-8187-7. /etc/auto.master file should be owned by an appropriate user list of users via chown 10.8.10-3 C.1 1) #9 /etc/auto.misc file should be owned by an appropriate user list of users via chown 10.8.10-3 C.1 1) #9 /etc/auto.net file should be owned by an appropriate user list of users via chown 10.8.10-3 C.1 1) #9 /etc/init.d file permissions should be set appropriately permissions via chmod 10.8.10-4 D.1 1) #5 /etc/hosts.lpd file permissions should be set appropriately permissions via chmod 10.8.10-4 D.1 1) #6 DEPRECATED. Auditing should be enabled or disabled for user accounts as appropriate enabled/disabled via /tcb/files/auth/* 10.8.10-4 D.3 1) Auditing should be enabled or disabled at boot time as appropriate enabled/disabled via /etc/rc.config.d/auditing 10.8.10-4 D.3 2) System logons should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #1 System logoffs should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #2 Password changes should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #3 su usage should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #4 Creation/modification of superuser groups should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #5 Clearing of the audit log file should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #8 Startup/shutdown of audit functions should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #9 Use of identification/authorization mechanisms should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #10 Remote access from outside the corporate network should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #11 Change of permissions/privileges should be audited or not as appropriate audited/not audited via /etc/rc.config.d/auditing 10.8.10-4 D.3 3) #13 Global initialization files should allow or deny write access to the terminal as appropriate allow/deny via global init files 10.8.10-4 D.4 1) #1 PRI audit file should be specified appropriately file and path via /etc/rc.config.d/auditing 10.8.10-4 D.3 2) SEC audit file should be specified appropriately file and path via /etc/rc.config.d/auditing 10.8.10-4 D.3 2) FileSpaceSwitch should be set to an appropriate value percentage of free space via /etc/rc.config.d/auditing 10.8.10-4 D.3 2) Wakeup switchpoint frequency should be set to an appropriate time interval number of minutes via /etc/rc.config.d/auditing 10.8.10-4 D.3 2) Warning messages switchpoint distance should be set to an appropriate value switchpoint distance integer via /etc/rc.config.d/auditing 10.8.10-4 D.3 2) Hard core dump size limits should be set appropriately Size (0 to disable core dumps) via /etc/security/limits via ulimit 10.8.10.4.4 (3) Root logins should be allowed or not as appropriate from SSH consoles allowed/not allowed 10.8.10.5.2.6 (4) The "Security Zones: Use Only Machine Settings" setting should be configured correctly. enabled/disabled HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only CCE-5 oval:org.mitre.oval:def:1277, oval:org.mitre.oval:def:2050 UseOnlyMachineSettings-LocalComputer, UseOnlyMachineSettings-LocalComputer-Disabled use_only_machine_settings_local_computer oval:gov.nist.fdcc.ie7:def:1277 Internet Explorer Processes (Restrict ActiveX Install) enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved) HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe HKLM\Software\Policies\ Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict ActiveX Install Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\iexplore.exe CCE-119 oval:org.mitre.oval:def:658 IEProcesses-RestrictActiveXInstall-LocalComputer IEProcesses_RestrictActiveXInstall_LocalComputer oval:gov.nist.fdcc.ie7:def:658 The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly. enabled/disabled HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit CCE-146 oval:org.mitre.oval:def:1400 DoNotAllowUsersAddDeleteSites-LocalComputer DoNotAllowUsersAddDeleteSites_LocalComputer oval:gov.nist.fdcc.ie7:def:1400 The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly. enabled/disabled HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck CCE-212 oval:org.mitre.oval:def:1357 DisablePeriodicCheckForIESoftwareUpdates-LocalComputer DisablePeriodicCheckForIESoftwareUpdates_LocalComputer oval:gov.nist.fdcc.ie7:def:1357 Internet Explorer Processes (Zone Elevation Protection) enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved) HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe HKLM\Software\Policies\Microsoft\Internet Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Protection From Zone Elevation Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe CCE-347 oval:org.mitre.oval:def:620 IEProcesses_ProtectionFromZoneElevation_LocalComputer oval:gov.nist.fdcc.ie7:def:620 The "Internet Explorer Processes (Consistent MIME Handling)" setting should be configured correctly. enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(Reserved) HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\explorer.exe HKLM\Software\Policies\Microsoft\Internet E Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Binary Behavior Security Restriction Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(Reserved) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\explorer.exe [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\iexplore.exe CCE-382 oval:org.mitre.oval:def:884 IEProcesses-ConsistentMimeHandling-LocalComputer IEProcesses_ConsistentMimeHandling_LocalComputer oval:gov.nist.fdcc.ie7:def:884 The "Allow Software to Run or Install Even if the Signature is Invalid" setting should be configured correctly. enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Download\RunInvalidSignatures Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\RunInvalidSignatures CCE-449 oval:org.mitre.oval:def:680, oval:org.mitre.oval:def:1392 AllowSoftwareRunInstallSignatureInvalid-LocalComputer, AllowSoftwareToRununOrInstallEvenIfSignatureInvalid-LocalUser AllowSoftwareRunInstallSignatureInvalid_LocalComputer oval:gov.nist.fdcc.ie7:def:680 The "Internet Explorer Processes (MK Protocol)" setting should be configured correctly. enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\(Reserved) HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\explorer.exe HKLM\Software\Policies\Microsoft Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/MK Protocol Security Restriction Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\(Reserved) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\explorer.exe [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\iexplore.exe CCE-591 oval:org.mitre.oval:def:617 IEProcesses-MKProtocolSecurityRestriction-LocalComputer IEProcesses_MKProtocolSecurityRestriction_LocalComputer oval:gov.nist.fdcc.ie7:def:617 The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly. enabled/disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe CCE-622 oval:org.mitre.oval:def:1188 DisableSoftwareUpdateShellNotifications-LocalComputer DisableSoftwareUpdateShellNotifications_LocalComputer oval:gov.nist.fdcc.ie7:def:1188 The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly. enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved) HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe CCE-668 oval:org.mitre.oval:def:320 IEProcesses-RestrictFileDownload-LocalComputer IEProcesses_RestrictFileDownload_LocalComputer oval:gov.nist.fdcc.ie7:def:320 The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly. enabled/disabled HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup CCE-684 oval:org.mitre.oval:def:1198 DisableAutomaticInstallOfIEComponents-LocalComputer DisableAutomaticInstallOfIEComponents_LocalComputer oval:gov.nist.fdcc.ie7:def:1198 The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly. number of proxy settings HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser CCE-693 oval:org.mitre.oval:def:1181 MakeProxySettingsPerMachine-LocalComputer MakeProxySettingsPerMachine_LocalComputer oval:gov.nist.fdcc.ie7:def:1181 The "Do Not Allow Users to enable or Disable Add-Ons" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoExtensionManagement CCE-708 oval:org.mitre.oval:def:1380, oval:org.mitre.oval:def:1358, oval:org.mitre.oval:def:1694 DoNotAllowUsersEnableDisableAddOns-LocalComputer, DoNotAllowUsersEnableDisableAddOns-LocalUser DoNotAllowUsersEnableDisableAddOns_LocalComputer oval:gov.nist.fdcc.ie7:def:1694 The "Turn Off Crash Detection" setting should be configured correctly. enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoCrashDetection Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoCrashDetection CCE-753 oval:org.mitre.oval:def:487 TurnOffCrashDetection-LocalComputer TurnOffCrashDetection_LocalComputer oval:gov.nist.fdcc.ie7:def:487 The "Internet Explorer Processes (Scripted Window Security Restrictions)" setting should be configured correctly. enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\(Reserved) HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\explorer.exe Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Scripted Window Security Restrictions Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\(Reserved) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\explorer.exe [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\iexplore.exe CCE-827 oval:org.mitre.oval:def:465 IEProcesses-ScriptedWindowSecurityRestrictions-LocalComputer IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer oval:gov.nist.fdcc.ie7:def:465 The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly. enabled/disabled HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit CCE-833 oval:org.mitre.oval:def:1404 DoNotAllowUsersChangePolicies-LocalComputer DoNotAllowUsersChangePolicies_LocalComputer oval:gov.nist.fdcc.ie7:def:1404 The "Internet Explorer Processes (MIME Sniffing)" setting should be configured correctly. enabled/disabled HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(Reserved) HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\explorer.exe Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Mime Sniffing Safety Feature Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(Reserved) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\explorer.exe [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\iexplore.exe CCE-985 oval:org.mitre.oval:def:317 IEProcesses-MimeSniffingSafetyFeature-LocalComputer IEProcesses_MimeSniffingSafetyFeature_LocalComputer oval:gov.nist.fdcc.ie7:def:317 The "Check for Signature on Downloaded Programs" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\CheckExeSignatures CCE-1025 oval:org.mitre.oval:def:395 CheckSignatureDownloadedPrograms-LocalComputer CheckSignatureDownloadedPrograms_LocalComputer oval:gov.nist.fdcc.ie7:def:395 The "Do Not Allow Resetting Internet Explorer Settings" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableRIED CCE-42 oval:org.mitre.oval:def:583 DoNotAllowResettingIESettings-LocalComputer DoNotAllowResettingIESettings_LocalComputer oval:gov.nist.fdcc.ie7:def:583 The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1407 CCE-49 oval:org.mitre.oval:def:506, oval:org.mitre.oval:def:533 AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalUser allow_cut_copy_paste_operations_from_clipboard_via_script_internet_zone_local_computer oval:gov.nist.fdcc.ie7:def:506 The "Turn Off First- Run Opt-In" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 CCE-863 oval:org.mitre.oval:def:1119 TurnOffFirst-RunOpt-In-InternetZone-LocalComputer TurnOffFirstRunOptIn_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1119 The "Web Browser Applications" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2400 CCE-286 oval:org.mitre.oval:def:242 WebBrowserApplications-InternetZone-LocalComputer WebBrowserApplications_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:242 The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Restricted Sites Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1407 CCE-1031 oval:org.mitre.oval:def:249, oval:org.mitre.oval:def:1393 AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalUser AllowCutCopyPasteOperationsFromClipboardViaScript_RestrictedSitesZone_LocalComputer oval:gov.nist.fdcc.ie7:def:249 The "Turn Off First- Run Opt-In" setting should be configured correctly for the Restricted Sites Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1208 CCE-200 oval:org.mitre.oval:def:621 TurnOffFirst-RunOpt-In-RestrictedSitesZone-LocalComputer TurnOffFirstRunOptIn_RestrictedSitesZone_LocalComputer oval:gov.nist.fdcc.ie7:def:621 The "Web Browser Applications" setting should be configured correctly for the Restricted Sites Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2400 CCE-51 oval:org.mitre.oval:def:580 WebBrowserApplications-RestrictedSitesZone-LocalComputer WebBrowserApplications_RestrictedSitesZone_LocalComputer oval:gov.nist.fdcc.ie7:def:580 The "Intranet Sites: Include all network paths (UNCs)" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet CCE-876 oval:org.mitre.oval:def:559, oval:org.mitre.oval:def:1370 IncludeAllNetworkPaths-LocalComputer, IncludeAllNetworkPaths-LocalUser include_all_network_paths_local_computer oval:gov.nist.fdcc.ie7:def:559 The "Disable the Advanced Page" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab CCE-810 oval:org.mitre.oval:def:934, oval:org.mitre.oval:def:660 DisableTheAdvancedPage-LocalComputer, DisableTheAdvancedPage-LocalUser The "Disable the Privacy Page" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\PrivacyTab CCE-811 oval:org.mitre.oval:def:1111 DisableThePrivacyPage-LocalComputer The "Disable the Security Page" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab CCE-595 oval:org.mitre.oval:def:672, oval:org.mitre.oval:def:601 DisableTheSecurityPage-LocalComputer, DisableTheSecurityPage-LocalUser The "Prevent Ignoing Certificate Errors" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\PreventIgnoreCertErrors CCE-938 oval:org.mitre.oval:def:655, oval:org.mitre.oval:def:1129 PreventIgnoingCertificateErrors-LocalComputer, PreventIgnoingCertificateErrors-LocalUser prevent_ignoring_certificate_errors_local_computer oval:gov.nist.fdcc.ie7:def:655 The "Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Page CCE-946 oval:org.mitre.oval:def:715 TurnOffChangingURLDisplay-LocalComputer TurnOffChangingURLDisplay_LocalComputer oval:gov.nist.fdcc.ie7:def:715 The "Turn Off Configuring the Update Check Interval (In Days)" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Interval CCE-237 oval:org.mitre.oval:def:1187 TurnOffConfiguringUpdateCheckInterval-LocalComputer TurnOffConfiguringUpdateCheckInterval_LocalComputer oval:gov.nist.fdcc.ie7:def:1187 The "Add-on List" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID CCE-541 oval:org.mitre.oval:def:626 AddOnList-LocalComputer The "Deny all add-ons unless specifically allowed in the Add-on List" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\RestrictToList CCE-911 oval:org.mitre.oval:def:1278 DenyAllAddOns-LocalComputer The "Disable "Configuring History"" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\History [HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep CCE-66 oval:org.mitre.oval:def:757, oval:org.mitre.oval:def:1365 DisableConfiguringHistory-LocalComputer, DisableConfiguringHistory-LocalUser DisableConfiguringHistory_LocalComputer oval:gov.nist.fdcc.ie7:def:757 The "Disable Changing Automatic Configuration Settings" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Autoconfig CCE-471 oval:org.mitre.oval:def:1285, oval:org.mitre.oval:def:613 DisableChangingAutomaticConfigurationSettings-LocalComputer, DisableChangingAutomaticConfigurationSettings-LocalUser DisableChangingAutomaticConfigurationSettings_LocalComputer oval:gov.nist.fdcc.ie7:def:1285 The "Disable Changing Connection Settings" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock CCE-611 oval:org.mitre.oval:def:355, oval:org.mitre.oval:def:1128 DisableChangingConnectionSettings-LocalComputer, DisableChangingConnectionSettings-LocalUser The "Disable Changing Proxy Settings" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy CCE-62 oval:org.mitre.oval:def:398, oval:org.mitre.oval:def:635 DisableChangingProxySettings-LocalComputer, DisableChangingProxySettings-LocalUser The "Disable Showing the Splash Screen" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSplash CCE-556 oval:org.mitre.oval:def:1164 DisableShowingSplashScreen-LocalComputer DisableShowingSplashScreen_LocalComputer oval:gov.nist.fdcc.ie7:def:1164 The "Prevent "Fix settings" Functionality" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings CCE-948 oval:org.mitre.oval:def:448, oval:org.mitre.oval:def:640 PreventFixSettingsFunctionality-LocalComputer, PreventFixSettingsFunctionality-LocalUser The "Prevent participation in the Customer Experience Improvement Programs" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\SQM\DisableCustomerImprovementProgram CCE-495 oval:org.mitre.oval:def:1171, oval:org.mitre.oval:def:1391 PreventParticipationInCustomerExperienceImprovementPrograms-LocalComputer, PreventParticipationInCustomerExperienceImprovementPrograms-LocalUser PreventParticipationInCustomerExperienceImprovementPrograms_LocalComputer oval:gov.nist.fdcc.ie7:def:1171 The "Prevent performance of First Run Customize settings" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize CCE-1006 oval:org.mitre.oval:def:1322 PreventPerformanceOfFirstRunCustomizeSettings-LocalComputer PreventPerformanceOfFirstRunCustomizeSettings_LocalComputer oval:gov.nist.fdcc.ie7:def:1322 The "Prevent the deletation of temporary internet files and cookies" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Settings CCE-909 oval:org.mitre.oval:def:1382, oval:org.mitre.oval:def:703 PerventDeletationOfTempInternetFiles-LocalComputer, PerventDeletationOfTempInternetFiles-LocalUser The "Turn off "Delete Browsing History" functionality" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableDeleteBrowsingHistory CCE-1010 oval:org.mitre.oval:def:458, oval:org.mitre.oval:def:1474 TurnOffDeleteBrowsingHistoryFunctionality-LocalComputer, TurnOffDeleteBrowsingHistoryFunctionality-LocalUser TurnOffDeleteBrowsingHistoryFunctionality_LocalComputer oval:gov.nist.fdcc.ie7:def:458 The "Turn off Managing Phishing Filter" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\Enabled CCE-1032 oval:org.mitre.oval:def:501 TurnOffManagingPhishingFilter-LocalComputer TurnOffManagingPhishingFilter_LocalComputer oval:gov.nist.fdcc.ie7:def:501 The "Turn off the Security Settings Check feature" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck CCE-1054 oval:org.mitre.oval:def:916, oval:org.mitre.oval:def:1034 TurnOffSecuritySettingsCheckFeature-LocalComputer, TurnOffSecuritySettingsCheckFeature-LocalUser TurnOffSecuritySettingsCheckFeature_LocalComputer oval:gov.nist.fdcc.ie7:def:916 The "Allow Active Content from CD's to Run on User Machine" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCAL CCE-964 oval:org.mitre.oval:def:400 AllowActiveContentFromCD-LocalComputer AllowActiveContentFromCD_LocalComputer oval:gov.nist.fdcc.ie7:def:400 The "Enable third-party browser extensions" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Enable Browser Extensions CCE-598 oval:org.mitre.oval:def:110 AllowThird-PartyBrowserExtensions-LocalComputer AllowThird-PartyBrowserExtensions_LocalComputer oval:gov.nist.fdcc.ie7:def:110 The "Automatically Check for Internet Explorer Updates" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\NoUpdateCheck CCE-1008 oval:org.mitre.oval:def:656, oval:org.mitre.oval:def:1360 AutomaticallyCheckIEUpdates-LocalComputer, AutomaticallyCheckForIEUpdates-LocalUser AutomaticallyCheckIEUpdates_LocalComputer oval:gov.nist.fdcc.ie7:def:656 The "Check for Server Certificate Revocation" setting should be configured correctly. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation CCE-690 oval:org.mitre.oval:def:172, oval:org.mitre.oval:def:1502 CheckServerCertificateRevocation-LocalComputer, CheckForServerCertificateRevocation-LocalUser CheckServerCertificateRevocation_LocalComputer oval:gov.nist.fdcc.ie7:def:172 The "Access data sources across domains" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406 CCE-47 oval:org.mitre.oval:def:674, oval:org.mitre.oval:def:650 AccessDataSourcesAcrossDomains-InternetZone-LocalComputer, AccessDataSourcesAcrossDomains-InternetZone-LocalUser access_data_sources_across_domains_internet_zone_local_computer oval:gov.nist.fdcc.ie7:def:674 The "Drag and drop or copy and paste files" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1802 CCE-685 oval:org.mitre.oval:def:1083, oval:org.mitre.oval:def:547 AllowDragDropOrCopyPasteFiles-InternetZone-LocalComputer, AllowDragDropOrCopyPasteFiles-InternetZone-LocalUser AllowDragDropOrCopyPasteFiles_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1083 The "Font download" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1604 CCE-491 oval:org.mitre.oval:def:524, oval:org.mitre.oval:def:659 AllowFontDownloads-InternetZone-LocalComputer, AllowFontDownloads-InternetZone-LocalUser AllowFontDownloads_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:524 The "Installation of desktop items" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1800 CCE-355 oval:org.mitre.oval:def:223, oval:org.mitre.oval:def:541 AllowInstallationOfDesktopItems-InternetZone-LocalComputer, AllowInstallationOfDesktopItems-InternetZone-LocalUser AllowInstallationOfDesktopItems_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:223 The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2102 CCE-280 oval:org.mitre.oval:def:589, oval:org.mitre.oval:def:1476 AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalUser AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:589 The "Allow Scriptlets" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209 CCE-439 oval:org.mitre.oval:def:1043 AllowScriptlets-InternetZone-LocalComputer allow_scriptlets_internet_zone_local_computer oval:gov.nist.fdcc.ie7:def:1043 The "Allow status bar updates via script" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103 CCE-914 oval:org.mitre.oval:def:226, oval:org.mitre.oval:def:1208 AllowStatusBarUpdatesViaScript-InternetZone-LocalComputer, AllowStatusBarUpdatesViaScript-InternetZone-LocalUser allow_status_bar_updates_via_script_internet_zone_local_computer oval:gov.nist.fdcc.ie7:def:226 The "Automatic prompting for file downloads" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2200 CCE-16 oval:org.mitre.oval:def:1113, oval:org.mitre.oval:def:562 AutomaticPromptingFileDownloads-InternetZone-LocalComputer, AutomaticPromptingFileDownloads-InternetZone-LocalUser AutomaticPromptingFileDownloads_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1113 The "Download signed ActiveX controls" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001 CCE-1013 oval:org.mitre.oval:def:1199, oval:org.mitre.oval:def:546 DownloadSignedActiveXControls-InternetZone-LocalComputer, DownloadSignedActiveXControls-InternetZone-LocalUser download_signed_activex_controls_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1199 The "Download unsigned ActiveX controls" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1004 CCE-176 oval:org.mitre.oval:def:391, oval:org.mitre.oval:def:1200 DownloadUnsignedActiveXControls-InternetZone-LocalComputer, DownloadUnsignedActiveXControls-InternetZone-LocalUser DownloadUnsignedActiveXControls_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:391 The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1201 CCE-586 oval:org.mitre.oval:def:1040, oval:org.mitre.oval:def:739 InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalComputer, JavaPermissions-InternetZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalUser InitializeScriptActiveXControlsNotMarkedAsSafe_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1040 The "Java permissions" setting should be configured correctly for the Internet Zone. Custom/Disable Java/High safety/Low safety/Medium safety Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1C00 CCE-132 oval:org.mitre.oval:def:1174, oval:org.mitre.oval:def:725 JavaPermissions-InternetZone-LocalUser java_permissions_internet_zone_local_computer oval:gov.nist.fdcc.ie7:def:1174 The "Launching programs and files in an IFRAME" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1804 CCE-689 oval:org.mitre.oval:def:611, oval:org.mitre.oval:def:1487 LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalUser LaunchingApplicationsAndFilesInIFRAME_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:611 The "Logon" setting should be configured correctly for the Internet Zone. Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A00 CCE-720 oval:org.mitre.oval:def:691, oval:org.mitre.oval:def:1123 LogonOptions-InternetZone-LocalComputer, LogonOptions-InternetZone-LocalUser LogonOptions_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:691 The "Loose XAML" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2402 CCE-126 oval:org.mitre.oval:def:240 LooseXAMLFiles-InternetZone-LocalComputer LooseXAMLFiles_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:240 The "Navigate sub-frames across different domains" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1607 CCE-245 oval:org.mitre.oval:def:612, oval:org.mitre.oval:def:1394 NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalUser navigate_sub_frames_across_different_domains_Internet_zone_local_computer oval:gov.nist.fdcc.ie7:def:612 The "Open files based on content, not file extension" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2100 CCE-910 oval:org.mitre.oval:def:953, oval:org.mitre.oval:def:1300 OpenFilesBasedOnContent-InternetZone-LocalComputer, OpenFilesBasedOnContent-InternetZone-LocalUser OpenFilesBasedOnContent_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:953 The "Software channel permissions" setting should be configured correctly for the Internet Zone. High safety/low safety/medium safety Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1E05 CCE-359 oval:org.mitre.oval:def:302, oval:org.mitre.oval:def:1398 SoftwareChannelPermissions-InternetZone-LocalComputer, SoftwareChannelPermissions-InternetZone-LocalUser SoftwareChannelPermissions_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:302 The "Use Pop-up Blocker" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809 CCE-1002 oval:org.mitre.oval:def:1179, oval:org.mitre.oval:def:558 UsePop-upBlocker-InternetZone-LocalComputer, UsePop-upBlocker-InternetZone-LocalUser UsePop-upBlocker_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1179 The "Userdata persistence" setting should be configured correctly for the Internet Zone. enabled/disabled Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1606 CCE-425 oval:org.mitre.oval:def:1108 UserdataPersistence-InternetZone-LocalComputer UserdataPersistence_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1108 The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2101 CCE-724 oval:org.mitre.oval:def:265, oval:org.mitre.oval:def:1432 WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalUser WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:265 The "XPS documents" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2401 CCE-1015 oval:org.mitre.oval:def:628 XPSFiles-InternetZone-LocalComputer The "Display mixed content" setting should be configured correctly for the Internet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609 CCE-878 oval:org.mitre.oval:def:245 DisplayMixedContent-LockedDownInternetZone-LocalComputer display_mixed_content_locked_down_internet_zone_local_computer oval:gov.nist.fdcc.ie7:def:245 The "Display mixed content" setting should be configured correctly for the Intranet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609 CCE-288 oval:org.mitre.oval:def:1166 DisplayMixedContent-IntranetZone-LocalComputer display_mixed_content_intranet_zone_local_computer oval:gov.nist.fdcc.ie7:def:1166 The "Display mixed content" setting should be configured correctly for the Locked Down Intranet Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1609 CCE-552 oval:org.mitre.oval:def:247 DisplayMixedContent-LockedDownIntranetZone-LocalComputer display_mixed_content-LockedDownintranet_zone_local_computer oval:gov.nist.fdcc.ie7:def:247 The "Display mixed content" setting should be configured correctly for the Local Machine Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609 CCE-473 oval:org.mitre.oval:def:383 DisplayMixedContent-LocalMachineZone-LocalComputer display_mixed_content-local_machine_zone_local_computer oval:gov.nist.fdcc.ie7:def:383 The "Display mixed content" setting should be configured correctly for the Locked Down Local Machine Zone. enabled/disabled/prompt Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1609 CCE-239 oval:org.mitre.oval:def:418 DisplayMixedContent-LockedDownLocalMachineZone-LocalComputer display_mixed_content-LockedDownlocal_machine_zone_local_computer oval:gov.nist.fdcc.ie7:def:418 The "Access data sources across domains" setting should be configured correctly for the Restricted Sites Zone. enabled/disabled/prompt