Anonymous access accounts are restricted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6537	WG195	SV-6639r4_rule	ECCD-1 ECCD-2 ECLP-1	High

Description
Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server to maintain the web server and applications, and to review the server operations.

Description

Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server to maintain the web server and applications, and to review the server operations.

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-29990r1_chk )
Work with the SA or the web administrator to determine if the web server supports an anonymous access account and, if so, note the name of the account. If an anonymous account is used to access the web site, then the reviewer will need to check its privileges. If anonymous access is not allowed for the web site, then this check is not applicable. If anonymous access is allowed for the web site, then the account should be restricted as much as possible. If the anonymous account has privileged access above what is necessary to access the web site, this is a finding.

Check Text ( C-29990r1_chk )

Work with the SA or the web administrator to determine if the web server supports an anonymous access account and, if so, note the name of the account. If an anonymous account is used to access the web site, then the reviewer will need to check its privileges.

If anonymous access is not allowed for the web site, then this check is not applicable.

If anonymous access is allowed for the web site, then the account should be restricted as much as possible.

If the anonymous account has privileged access above what is necessary to access the web site, this is a finding.

Fix Text (F-26850r1_fix)
Update the anonymous access account to remove privileged access.