UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Anonymous access accounts are restricted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6537 WG195 SV-6639r4_rule ECCD-1 ECCD-2 ECLP-1 High
Description
Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server to maintain the web server and applications, and to review the server operations.
STIG Date
Web Server STIG 2010-10-07

Details

Check Text ( C-29990r1_chk )
Work with the SA or the web administrator to determine if the web server supports an anonymous access account and, if so, note the name of the account. If an anonymous account is used to access the web site, then the reviewer will need to check its privileges.

If anonymous access is not allowed for the web site, then this check is not applicable.

If anonymous access is allowed for the web site, then the account should be restricted as much as possible.

If the anonymous account has privileged access above what is necessary to access the web site, this is a finding.
Fix Text (F-26850r1_fix)
Update the anonymous access account to remove privileged access.