The web client account access to the content and scripts directories will be limited to read and execute.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2258 | WG290 | SV-2258r5_rule | ECLP-1 | High |
| Description |
|---|
| Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset. |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-29953r1_chk ) |
|---|
| Determine the web client account (anonymous account) for the web server software that is installed. For the web content and script directories, determine the permission for the web client account. Permissions for this account should be read and execute or more restrictive. If the web client account access to the content and scripts directories is not limited to read and execute, this is a finding. If the Microsoft ‘everyone’ account or the UNIX ‘world’ user has full access to these directories, this is a finding. Permissions for ‘everyone’ and the UNIX world user will be as restricted as possible. |
| Fix Text (F-26824r1_fix) |
|---|
| Limit web client account access to the web content and scripts directories to read and execute (or script in the case of IIS). Furthermore, ensure this account has no access to the operating system files and resources, which are to be located on a separate drive or partition. |