Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-2248 | WG220 W22 | SV-33072r1_rule | ECCD-1 ECCD-2 | Medium |
Description |
---|
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate protection ensures that server administration operates with less risk of losses or operations outages. The key web service administrative and configuration tools must be accessible only by the authorized web server administrators. All users granted this authority must be documented and approved by the IAO. Access to the IIS Manager will be limited to authorized users and administrators. |
STIG | Date |
---|---|
APACHE SERVER 2.2 for Windows | 2011-12-12 |
Check Text ( C-33743r1_chk ) |
---|
The file which controls the web service is the httpd.conf file. Read and Write or Full Control access to this file is to be limited to the SA, Web Manager or Web Manager’s designees. Check permissions on the httpd.conf file, they should be: Administrators: Full Control System: Full Control WebAdmin: Full Control Apache Service: Read & Execute If accounts other than the SA, web manager, or web manager designees have access to the httpd.conf, this is a finding. |
Fix Text (F-29378r1_fix) |
---|
Restrict access to the httpd.conf file to only the web manager and the web manager’s designees. |