STIGQter STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

Web administration tools must be restricted to the web manager and the web manager’s designees.

DISA Rule

SV-33072r4_rule

Vulnerability Number

V-2248

Group Title

WG220

Rule Version

WG220 W22

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Restrict access to the httpd.conf and supporting .conf files to only the documented SA, web manager, or web manager designees.

Check Contents

Configuration of the Apache web server is accomplished by editing flat .conf files.
Interview the ISSO and ask for the web server’s documented procedures and processes.

Verify the documented procedures and processes explicitly document the roles and responsibilities for the web server and web site(s) management. These documented roles will be used to validate access controls for this check.
For the purpose of this check, the SA is responsible for the OS platform of the webserver. The web server manager manages the Apache installation and configuration and the web master manages the web site or sites.
In some environments, the SA is also the web manager/web master. In such case, the roles should still be documented.
Locate the folder in which the Apache installation’s httpd.conf and supporting .conf files are located. Right-click on the folder name and select “Properties”. Select the “Security” tab and review the accounts and assigned permissions.
The System Administrator(s), web manager(s) and web master(s), as identified in the organization’s documentation, may have Full Control to the installation folder and sub-folders.
Non-documented administrators, non-elevated administrators and users may have Read only permissions to the installation folder and sub-folders.

If any accounts other than the documented SA, web manager, or web manager designees have greater than Read permissions to the web administration tool or control files, this is a finding.

Vulnerability Number

V-2248

Documentable

False

Rule Version

WG220 W22

Severity Override Guidance

Configuration of the Apache web server is accomplished by editing flat .conf files.
Interview the ISSO and ask for the web server’s documented procedures and processes.

Verify the documented procedures and processes explicitly document the roles and responsibilities for the web server and web site(s) management. These documented roles will be used to validate access controls for this check.
For the purpose of this check, the SA is responsible for the OS platform of the webserver. The web server manager manages the Apache installation and configuration and the web master manages the web site or sites.
In some environments, the SA is also the web manager/web master. In such case, the roles should still be documented.
Locate the folder in which the Apache installation’s httpd.conf and supporting .conf files are located. Right-click on the folder name and select “Properties”. Select the “Security” tab and review the accounts and assigned permissions.
The System Administrator(s), web manager(s) and web master(s), as identified in the organization’s documentation, may have Full Control to the installation folder and sub-folders.
Non-documented administrators, non-elevated administrators and users may have Read only permissions to the installation folder and sub-folders.

If any accounts other than the documented SA, web manager, or web manager designees have greater than Read permissions to the web administration tool or control files, this is a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments