{"description": "To minimize exposure of private assets to unnecessary risk by attackers,\npublic web servers must be isolated from internal systems.\n\nLogically relocate public web servers to be isolated from internal\nsystems. In addition, ensure the public web server does not have\ntrusted connections with assets outside the confines of the\ndemilitarizez done (DMZ) other than application and/or database servers\nthat are a part of the same system as the web server.", "rationale": "Public web servers are by nature more vulnerabile to attack from publicly\nbased sources, such as the public Internet. Once compromised, a public\nserver might be used as a base for further attack on private resources,\nunless additional layers of protection are implemented. Public web servers\nmust be located in a DoD DMZ Extension, if hosted on the NIPRNet, with\ncarefully controlled access. Failure to isolate resources in this way\nincrease risk that private assets are exposed to attacks from public\nsources. An improperly located public web server is a potential\nthreat to the entire network.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the web server is not isolated in an accredited DoD DMZ Extension", "ocil": "Interview the SA or web administrator to see where the public web server\nis logically located in the data center. Review the site network diagram\nto see how the web server is connected to the LAN. Visually check the web\nserver hardware connections to see if it conforms to the site network\ndiagram.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/http/securing_httpd/httpd_nipr_accredited_dmz/rule.yml", "template": null}