STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

The web server, although started by superuser or privileged account, must run using a non-privileged account.

DISA Rule

SV-36607r1_rule

Vulnerability Number

V-13619

Group Title

WG275

Rule Version

WG275 W22

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the web server to run using a non-privileged account.

Check Contents

Work with the web administrator to determine the account assigned to the web server service. Once this is determined, right click on My Computer and select Manage. Then select Configuration, followed by Local Users and Groups.

Examine the account that is used to run the web server service and determine the group affiliations. The Apache server account may be a member of the users group and in some cases the site may have created a separate group for the apache web server. Both of these are not findings.

If the user account assigned to the web server service is a member of any other group than users or the created web server group, the SA will need to provide justification showing that these permissions are necessary for the function and operation of the web server.

NOTE: The Apache account needs to have the following rights, which would not be a finding: Act as part of the Operating System & Log on as a Service.

The web server, although started by superuser or privileged account, must run using a non-privileged account.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments