UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The service account ID used to run the web site will have its password changed at least annually.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2235 WG060 SV-2235r4_rule IAIA-1 IAIA-2 Medium
Description
Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. The passwords on such accounts must be changed at least annually. It is a fundamental tenet of security that passwords are not to be null and must not to be set to never expire.
STIG Date
Web Server STIG 2010-10-07

Details

Check Text ( C-29901r1_chk )
Query the IAO and confirm with the SA, the Web Manager, or the individual in an equivalent role.

Proposed Questions:

What is your policy for service account passwords?

What types of services does this policy apply to?

How often is service account passwords changed?

If the web services password is not changed at least annually, this is a finding.

NOTE: For IIS or other web server installations that are running as localsystem, the password is changed automatically by the OS every 7 days, so this should be marked as N/A.
Fix Text (F-27578r1_fix)
Ensure that the service account ID used to run the web site has its password changed at least annually.