Check: WG275 W22
APACHE 2.2 Server for Windows STIG:
WG275 W22
(in versions v1 r13 through v1 r11)
Title
The web server, although started by superuser or privileged account, must run using a non-privileged account. (Cat II impact)
Discussion
Running the web server with excessive privileges presents an increased risk to the web server. In the event the web server’s services are compromised, the context by which the web server is running will determine the amount of damage that may be caused by the attacker. If the web server is run as an administrator or as an equivalent account, the attacker will gain administrative access through the web server. If, on the other hand, the web server is running with least privilege required to function, the capabilities of the attacker will be greatly decreased.
Check Content
Work with the web administrator to determine the account assigned to the web server service. Once this is determined, right click on My Computer and select Manage. Then select Configuration, followed by Local Users and Groups. Examine the account that is used to run the web server service and determine the group affiliations. The Apache server account may be a member of the users group and in some cases the site may have created a separate group for the apache web server. Both of these are not findings. If the user account assigned to the web server service is a member of any other group than users or the created web server group, the SA will need to provide justification showing that these permissions are necessary for the function and operation of the web server. NOTE: The Apache account needs to have the following rights, which would not be a finding: Act as part of the Operating System & Log on as a Service.
Fix Text
Configure the web server to run using a non-privileged account.
Additional Identifiers
Rule ID: SV-36607r1_rule
Vulnerability ID: V-13619
Group Title: WG275
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |