TNS Oracle WebLogic Server 11 Windows Best Practices

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: TNS Oracle WebLogic Server 11 Windows Best Practices

Updated: 1/5/2022

Authority: TNS

Plugin: Windows

Revision: 1.9

Estimated Item Count: 66

File Details

Filename: TNS_Oracle_WebLogic_11_Security_Guide_Windows.audit

Size: 107 kB

MD5: d8da2bf339605be835dedcc24cb80748
SHA256: bce583ad2ede5a47d1c873609badea20db6a949e31aca4edcc53aa05f4b00c27

Audit Items

DescriptionCategories
1.1 - SerializedSystemIni.dat Password File is not Protected

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.2 - Strong Password policy should be implemented - Enforce Password History
1.2 - Strong Password policy should be implemented - Maximum Password Age
1.2 - Strong Password policy should be implemented - Minimum Lowercase Characters

IDENTIFICATION AND AUTHENTICATION

1.2 - Strong Password policy should be implemented - Minimum Numeric Characters

IDENTIFICATION AND AUTHENTICATION

1.2 - Strong Password policy should be implemented - Minimum Password Age
1.2 - Strong Password policy should be implemented - Minimum Password Length

IDENTIFICATION AND AUTHENTICATION

1.2 - Strong Password policy should be implemented - Minimum Special Characters

IDENTIFICATION AND AUTHENTICATION

1.2 - Strong Password policy should be implemented - Minimum Uppercase Characters

IDENTIFICATION AND AUTHENTICATION

1.2 - Strong Password policy should be implemented - Non-Alphanumeric Characters

IDENTIFICATION AND AUTHENTICATION

1.3 - Default admin password should be changed
2.1 - Weak permissions on Weblogic directories

ACCESS CONTROL, CONFIGURATION MANAGEMENT

2.2 - Weak permissions on Log files

ACCESS CONTROL, CONFIGURATION MANAGEMENT

2.3 - Administration Console Session Timeout is not set

ACCESS CONTROL

2.4 - Limit access to production WebLogic application servers
2.5 - Unique X.509 Mapping should be present
2.6 - Security roles should be used to control access
2.7 - Set check Roles and Policies to all Web applications and EJBs

IDENTIFICATION AND AUTHENTICATION

2.8 - Account lockout policy should be enabled - Lockout Enabled

ACCESS CONTROL

2.8 - Account lockout policy should be enabled - Lockout Threshold

ACCESS CONTROL

2.9 - Security Groups should be established
2.10 - Administrator Group should be set up
3.1 - Domain wide administration port is not enabled

ACCESS CONTROL

3.2 - Keystore directory and file permissions should be set - Directory

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2 - Keystore directory and file permissions should be set - Files

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3 - Connection Filtering is not configured - Connection Filter Specified

ACCESS CONTROL

3.3 - Connection Filtering is not configured - Filter enabled

AUDIT AND ACCOUNTABILITY

3.3 - Connection Filtering is not configured - Filter Rules added

ACCESS CONTROL

3.4 - Default Weblogic Keystores is used

SYSTEM AND COMMUNICATIONS PROTECTION

3.5 - Default weblogic account is used
3.6 - Insecure 'Idle Timeout' setting

SYSTEM AND COMMUNICATIONS PROTECTION

3.7 - Network Parameters are not tuned - Accept Backlog

SYSTEM AND COMMUNICATIONS PROTECTION

3.7 - Network Parameters are not tuned - Login Timeout

SYSTEM AND COMMUNICATIONS PROTECTION

3.7 - Network Parameters are not tuned - Maximum Open Sockets

SYSTEM AND COMMUNICATIONS PROTECTION

3.8 - Http banner reveals server information - Send Server Header

SYSTEM AND COMMUNICATIONS PROTECTION

3.8 - Http banner reveals server information - X-Powered-By Header

SYSTEM AND COMMUNICATIONS PROTECTION

3.9 - Default code and application examples and pointbase database are installed - ADFR Tools

CONFIGURATION MANAGEMENT

3.9 - Default code and application examples and pointbase database are installed - eval directory

CONFIGURATION MANAGEMENT

3.9 - Default code and application examples and pointbase database are installed - OEPE Tools

CONFIGURATION MANAGEMENT

3.9 - Default code and application examples and pointbase database are installed - samples directory

CONFIGURATION MANAGEMENT

3.10 - Domain is not running in production mode

CONFIGURATION MANAGEMENT

3.11 - Domain HTTP Post Timeout is not set

SYSTEM AND COMMUNICATIONS PROTECTION

3.12 - Security Interoperability Mode is not set

SYSTEM AND COMMUNICATIONS PROTECTION

3.13 - Configuration Archive is not Enabled

CONTINGENCY PLANNING

3.14 - Maximum Message Size is not set - Maximum HTTP Message Size

SYSTEM AND COMMUNICATIONS PROTECTION

3.14 - Maximum Message Size is not set - Maximum Message Size

SYSTEM AND COMMUNICATIONS PROTECTION

3.15 - Archive Configuration Count is not set

CONTINGENCY PLANNING

3.16 - Delete Development Tools - ADFR Tools

CONFIGURATION MANAGEMENT

3.16 - Delete Development Tools - OEPE Tools

CONFIGURATION MANAGEMENT

3.17 - Deploy the WebLogic Platform on a Dedicated System

CONFIGURATION MANAGEMENT