Checklist Summary:

The Web Server Overview is a published document that can be used to improve the security of Department of Defense (DoD) web servers and sites. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Application Security and Development, and other appropriate operating system (OS) Security Technical Implementation Guides (STIGs). Guidance for deployment of web servers within the DoD intranet and the Demilitarized Zone (DMZ) will be governed by the appropriate Network Infrastructure STIG provided by Defense Information Systems Agency (DISA). The web server must be configured to protect classified, unclassified, and/or restricted data such as Personally Identifiable Information, as well as data approved for public release. Immediate risks inherent to this role are external attacks and accidental exposure. Although security controls and infrastructure devices such as firewalls, intrusion detection systems, and baseline integrity checking tools offer some defense against malicious activity, security for web servers is best achieved through implementing a comprehensive defense-in-depth strategy. This strategy should include, but is not limited to, server configuration to prevent system compromise, operational procedures for posting data to avoid accidental exposure, proper placement of the server within the network infrastructure, and the allowance or denial of Ports, Protocols, and Services used to access the web server. This document supports the design, implementation, and management of web servers and sites from a generic standpoint applicable to all web servers and sites and supersedes both the Web Server Security Technical Implementation Guide, Version 6 Release 1, 11 December 2006, and the Web Checklist Generic Version 6 Release 1.7, 24 April 2009.

Checklist Role:

• Web Server

Known Issues:

Not provided.

Target Audience:

This document is a requirement for all DoD-owned information systems and DoD-controlled information systems operated by a contractor and/or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification and/or sensitivity. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), IAOs, and System Administrators (SAs) with configuring and maintaining security controls.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoDD 8500.1 and DoDI 8500.2

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via e-mail to the following address: fso_spt@disa.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Disclaimer:

Not provided.

Product Support:

disa.stig_spt@mail.mil

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Version 7, Release 1 - 28 October 2011
Updated "Point of Contact" - 07 January 2015
Moved to Archive status - 12/06/2017

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 12/06/2017