Title

A compiler must not be installed on a production web server. (Cat II impact)

Discussion

The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses.

Check Content

Using Windows Explorer, search the system for the existence of known compilers such as msc.exe, msvc.exe, Python.exe, javac.exe, Lcc-win32.exe, or equivalent. If a compiler is found on the production server, this is a finding. NOTE: This check does not prohibit the use of the .Net Framework. This does not prohibit the use of the java compiler for Oracle. NOTE: ColdFusion would not be considered a compiler as long as the site is not using the tools for development work.

Fix Text

Remove any compiler programs found on the production web server.

Additional Identifiers

Rule ID: SV-38190r1_rule

Vulnerability ID: V-2236

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.