Check: AS24-W2-000690
Apache Server 2.4 Windows Site STIG:
AS24-W2-000690
(in versions v2 r1 through v1 r0.1)
Title
Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. (Cat II impact)
Discussion
By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server.
Check Content
Determine which tool or control file is used to control the configuration of the web server. If the control of the web server is done via control files, verify who has update access to them. If tools are being used to configure the web server, determine who has access to execute the tools. If accounts other than the System Administrator (SA), the Web Manager, or the Web Manager designees have access to the web administration tool or control files, this is a finding.
Fix Text
Restrict access to the web administration tool to only the SA, Web Manager, or the Web Manager designees.
Additional Identifiers
Rule ID: SV-214389r399775_rule
Vulnerability ID: V-214389
Group Title: SRG-APP-000340-WSR-000029
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
Controls
Number | Title |
---|---|
AC-6 (10) |
Prohibit Non-Privileged Users From Executing Privileged Functions |