STIGQter: STIG Summary: Web Server Security Requirements Guide Version: 2 Release: 3 Benchmark Date: 26 Apr 2019:

The web server application, libraries, and configuration files must only be accessible to privileged users.

DISA Rule

SV-70235r2_rule

Vulnerability Number

V-55981

Group Title

SRG-APP-000380-WSR-000072

Rule Version

SRG-APP-000380-WSR-000072

Severity

CAT II

CCI(s)

• CCI-001813 - The information system enforces access restrictions.

Weight

10

Fix Recommendation

Define roles and responsibilities to be used when managing the web server.

Configure the hosting system to utilize specific roles that restrict access related to web server system and configuration changes.

Check Contents

Review the web server documentation and configuration to determine if the web server provides unique account roles specifically for the purposes of segmenting the responsibilities for managing the web server.

Log into the hosting server using a web server role with limited permissions (e.g., Auditor, Developer, etc.) and verify the account is not able to perform configuration changes that are not related to that role.

If roles are not defined with limited permissions and restrictions, this is a finding.

Vulnerability Number

V-55981

Documentable

False

Rule Version

SRG-APP-000380-WSR-000072

Severity Override Guidance

Review the web server documentation and configuration to determine if the web server provides unique account roles specifically for the purposes of segmenting the responsibilities for managing the web server.

Log into the hosting server using a web server role with limited permissions (e.g., Auditor, Developer, etc.) and verify the account is not able to perform configuration changes that are not related to that role.

If roles are not defined with limited permissions and restrictions, this is a finding.

Check Content Reference

M

Target Key

2557

Comments