Access to web administration tools is restricted to the web manager and the web manager’s designees.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2248 | WG220 | SV-2248r5_rule | ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| The key web service administrative and configuration tools must only be accessible by the web server staff. As these services control the functioning of the web server, access to these tools is crucial. This would include access to the Web Admin Server in Netscape, the IIS Management Console, the Apache httpd.conf file, or sysadmin.cfg in Oracle. |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-29923r1_chk ) |
|---|
| Query the SA to determine what tool or control file is used to control the configuration of the web server. The tool or files need to be restricted to the web manager and assigned designees. If the control of the web server is done via control files, the reviewer will need to verify who has update access to them. If tools are being used to configure the web server, the reviewer will need to determine who has access to execute the tools. If accounts other than the SA, the web manager, or the web manager designees have access to the web administration tool or equivalent, this is a finding. |
| Fix Text (F-26807r1_fix) |
|---|
| Restrict access to the web administration tool to only the web manager and the web manager’s designees. |