Check: IIST-SV-000130
Microsoft IIS 10.0 Server STIG:
IIST-SV-000130
(in versions v2 r10 through v1 r0.1)
Title
Java software installed on a production IIS 10.0 web server must be limited to .class files and the Java Virtual Machine. (Cat II impact)
Discussion
Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more appealing to the user, is easier to analyze, and is less complicated to navigate through the hosted application and data. Some mobile code technologies in use in today's applications are: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. The DoD has created policies that define the usage of mobile code on DoD systems. The usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Source code for a Java program is often stored in files with either .java or .jpp file extensions. From the .java and .jpp files the Java compiler produces a binary file with an extension of .class. The .java or .jpp file could therefore reveal sensitive information regarding an application's logic and permissions to resources on the server.
Check Content
Search the system for files with either .java or .jpp extensions. If files with .java or .jpp extensions are found, this is a finding.
Fix Text
Remove all files from the web server with both .java and .jpp extensions.
Additional Identifiers
Rule ID: SV-218801r879627_rule
Vulnerability ID: V-218801
Group Title: SRG-APP-000206-WSR-000128
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001166 |
The information system identifies organization-defined unacceptable mobile code. |
Controls
Number | Title |
---|---|
SC-18 (1) |
Identify Unacceptable Code / Take Corrective Actions |