Rule ID
SV-214304r1211013_rule
Version
V2R7
Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services that are deemed nonessential to the server mission, are too unsecure, or are prohibited by the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments. Configuring the web server to implement organizationwide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security baseline across the DOD that reflects the most restrictive security posture consistent with operational requirements. Satisfies: SRG-APP-000516-WSR-000174, SRG-APP-000383-WSR-000175
Review the website to determine if HTTP and HTTPS are used in accordance with well-known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DOD PPSM. Verify that any variation in PPS is documented, registered, and approved by the PPSM. If well-known ports and services are not approved for use by PPSM, this is a finding.
Ensure the website enforces the use of IANA well-known ports for HTTP and HTTPS.