UCF STIG Viewer Logo

Web administration tools must be restricted to the web manager and the web manager’s designees.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2248 WG220 W22 SV-33072r1_rule ECCD-1 ECCD-2 Medium
Description
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate protection ensures that server administration operates with less risk of losses or operations outages. The key web service administrative and configuration tools must be accessible only by the authorized web server administrators. All users granted this authority must be documented and approved by the IAO. Access to the IIS Manager will be limited to authorized users and administrators.
STIG Date
APACHE SERVER 2.2 for Windows 2011-12-12

Details

Check Text ( C-33743r1_chk )
The file which controls the web service is the httpd.conf file.

Read and Write or Full Control access to this file is to be limited to the SA, Web Manager or Web Manager’s designees.

Check permissions on the httpd.conf file, they should be:
Administrators: Full Control
System: Full Control
WebAdmin: Full Control
Apache Service: Read & Execute

If accounts other than the SA, web manager, or web manager designees have access to the httpd.conf, this is a finding.
Fix Text (F-29378r1_fix)
Restrict access to the httpd.conf file to only the web manager and the web manager’s designees.