The service account ID used to run the web site will have its password changed at least annually.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2235 | WG060 | SV-2235r4_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. The passwords on such accounts must be changed at least annually. It is a fundamental tenet of security that passwords are not to be null and must not to be set to never expire. |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-29901r1_chk ) |
|---|
| Query the IAO and confirm with the SA, the Web Manager, or the individual in an equivalent role. Proposed Questions: What is your policy for service account passwords? What types of services does this policy apply to? How often is service account passwords changed? If the web services password is not changed at least annually, this is a finding. NOTE: For IIS or other web server installations that are running as localsystem, the password is changed automatically by the OS every 7 days, so this should be marked as N/A. |
| Fix Text (F-27578r1_fix) |
|---|
| Ensure that the service account ID used to run the web site has its password changed at least annually. |