Check: WG220 W22
APACHE 2.2 Server for Windows STIG:
WG220 W22
(in version v1 r11)
Title
Web administration tools must be restricted to the web manager and the web manager’s designees. (Cat II impact)
Discussion
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate protection ensures that server administration operates with less risk of losses or operations outages. The key web service administrative and configuration tools must be accessible only by the authorized web server administrators. All users granted this authority must be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators.
Check Content
Determine which tool or control file is used to control the configuration of the web server. If the control of the web server is done via control files, verify who has update access to them. If tools are being used to configure the web server, determine who has access to execute the tools. If accounts other than the SA, the web manager, or the web manager designees have access to the web administration tool or control files, this is a finding.
Fix Text
Restrict access to the httpd.conf file to only the web manager and the web manager’s designees.
Additional Identifiers
Rule ID: SV-33072r4_rule
Vulnerability ID: V-2248
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |