Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-2259 | WG300 | SV-2259r7_rule | ECCD-1 ECCD-2 ECLP-1 | Medium |
Description |
---|
This check verifies that the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account that runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform. |
STIG | Date |
---|---|
Web Server STIG | 2010-10-07 |
Check Text ( C-29964r1_chk ) |
---|
Windows 2008 servers may be impacted by this check. If the SA or the web administrator can demonstrate that this requirement as written will adversely affect the web server by providing vendor documentation, then the reviewer will verify compliance with vendor guidance with respect to file permissions and access controls. Query the SA or the web administrator to determine if an access control file is used by the web server and the name and location of the files. The reviewer will verify the permissions on these files. Some examples are listed below, but the specific file names may vary by web server software products. NOTE: These are just sample file names and directories. The actual names will vary based on the product that is being used. You will have to determine the appropriate directory and file that correspond to the samples provided below. Example: ServerRoot "C:\Program Files\Product" Permissions on this directory files should be: Administrators: full System: full WebAdmin: full WebUser: read, execute Web Service Account: read, execute Permissions for the /config directory should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: full System: read WebAdmin: modify Web Service Account: read Permissions on this directory files should be: Administrators: full System: full WebAdmin: full WebUser: read, execute Web Service Account: read, execute Permissions for the /bin directory should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: full System: read, execute WebAdmin: modify Web Service Account: read, execute Permissions for the /logs directory should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: read System: full WebAdmin: read Web Service Account: modify Auditors: full Permissions for the /htdocs directory (DocumentRoot) should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: Full control System: Read WebAdmin: Modify Web Service Account: Read If any of the permissions listed above are less restrictive, this is a finding. |
Fix Text (F-26829r1_fix) |
---|
Set file permissions on the web server systems files to meet minimum file permissions requirements. |