| 1.5 Ensure 'unique application pools' is set for sites | CIS IIS 10 v1.2.1 Level 1 | Windows | ACCESS CONTROL |
| 2.3.37.3.1 (L1) Ensure 'Open Office documents as read/write while browsing' is set to 'Disabled' | CIS Microsoft Intune for Office v1.1.0 L1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure the Proxy Modules Are Disabled | CIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 2.6 Ensure the Proxy Modules Are Disabled | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 2.6 Ensure the Proxy Modules Are Disabled if not in use | CIS Apache HTTP Server 2.4 v2.2.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2 Ensure 'debug' is turned off - Default | CIS IIS 7 L2 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 4.3 Ensure 'MaxQueryString request filter' is configured - Applications | CIS IIS 7 L2 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 4.3 Ensure 'MaxQueryString request filter' is configured - Default | CIS IIS 7 L2 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen [::ffff:0.0.0.0]:80 does not exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 0.0.0.0:80 does not exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 0.0.0.0:80 does not exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 80 does not exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 80 does not exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-W1-000710 - The Apache web server must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the Apache web server. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | AUDIT AND ACCOUNTABILITY |
| DTOO164 - Beaconing UI shown for opened forms must be configured. | DISA STIG Microsoft InfoPath 2013 v1r6 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DTOO164 - InfoPath - Beaconing UI shown for opened forms must be configured. | DISA STIG Office 2010 InfoPath v1r12 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| EX13-CA-000040 - Exchange must have IIS map client certificates to an approved certificate server. | DISA Microsoft Exchange 2013 Client Access Server STIG v2r2 | Windows | ACCESS CONTROL |
| OH12-1X-000172 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | CONFIGURATION MANAGEMENT |
| OH12-1X-000320 - OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| OH12-1X-000322 - OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version - SSLProtocol | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| OH12-1X-000322 - OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version - SSLWallet | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| OH12-1X-000323 - OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCEM-67-000016 - ESX Agent Manager must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 6.7 EAM Tomcat v1r4 | Unix | CONFIGURATION MANAGEMENT |
| VCEM-70-000016 - ESX Agent Manager must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 7.0 EAM Tomcat v1r2 | Unix | CONFIGURATION MANAGEMENT |
| VCFL-67-000017 - vSphere Client must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 6.7 Virgo Client v1r2 | Unix | CONFIGURATION MANAGEMENT |
| VCLD-67-000023 - VAMI must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 6.7 VAMI-lighttpd v1r3 | Unix | CONFIGURATION MANAGEMENT |
| VCLD-67-000034 - VAMI must implement TLS1.2 exclusively - sslv2 | DISA STIG VMware vSphere 6.7 VAMI-lighttpd v1r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCLU-70-000016 - Lookup Service must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 7.0 Lookup Service v1r2 | Unix | CONFIGURATION MANAGEMENT |
| VCPF-70-000016 - Performance Charts must not have any symbolic links in the web content directory tree - out-of-the box state. | DISA STIG VMware vSphere 7.0 Perfcharts Tomcat v1r1 | Unix | CONFIGURATION MANAGEMENT |
| VCPF-70-000032 - Performance Charts must disable the shutdown port. | DISA STIG VMware vSphere 7.0 Perfcharts Tomcat v1r1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCST-67-000016 - The Security Token Service must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 6.7 STS Tomcat v1r3 | Unix | CONFIGURATION MANAGEMENT |
| VCUI-67-000015 - vSphere UI must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 6.7 UI Tomcat v1r3 | Unix | CONFIGURATION MANAGEMENT |
| VCUI-67-000029 - vSphere UI must disable the shutdown port - vsphere-ui.json | DISA STIG VMware vSphere 6.7 UI Tomcat v1r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCUI-70-000016 - vSphere UI must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 7.0 vCA UI v1r2 | Unix | CONFIGURATION MANAGEMENT |
| VCUI-70-000031 - vSphere UI must disable the shutdown port. | DISA STIG VMware vSphere 7.0 vCA UI v1r2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| VM: guest-8.virtual-hardware | VMware vSphere Security Configuration and Hardening Guide | VMware | CONFIGURATION MANAGEMENT |
| WA00565 A22 - HTTP request methods must be limited - Order | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WBSP-AS-000940 - The WebSphere Application Server must remove JREs left by web server and plug-in installers in the DMZ. | DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| WBSP-AS-000940 - The WebSphere Application Server must remove JREs left by web server and plug-in installers in the DMZ. | DISA IBM WebSphere Traditional 9 STIG v1r1 | Unix | CONFIGURATION MANAGEMENT |
| WBSP-AS-001080 - The WebSphere Application Server must provide security extensions to extend SOAP protocol and provide secure authentication | DISA IBM WebSphere Traditional 9 Windows STIG v1r1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WBSP-AS-001090 - The WebSphere Application Server must provide security extensions to extend SOAP protocol and provide secure authentication | DISA IBM WebSphere Traditional 9 STIG v1r1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| WG060 W22 - The service account used to run the web service must have its password changed at least annually. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WG400 A22 - All interactive programs (CGI) must be placed in a designated directory with appropriate permissions. | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | ACCESS CONTROL |
| WG400 A22 - All interactive programs (CGI) must be placed in a designated directory with appropriate permissions. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | ACCESS CONTROL |
| WG440 A22 - Monitoring software must include CGI or equivalent programs in its scope. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WG440 A22 - Monitoring software must include CGI or equivalent programs in its scope. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WG470 IIS6 - Wscript.exe and Cscript.exe must not be accessible by users other than the SA and Web Manager. - 'cscript.exe' | DISA STIG IIS 6.0 Server v6r16 | Windows | ACCESS CONTROL |
| WG470 IIS6 - Wscript.exe and Cscript.exe must not be accessible by users other than the SA and Web Manager. - 'wscript.exe' | DISA STIG IIS 6.0 Server v6r16 | Windows | ACCESS CONTROL |
| WG470 W22 - Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. - 'Wscript.exe' | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
