UCF STIG Viewer Logo

Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key.


Overview

Finding ID Version Rule ID IA Controls Severity
V-41731 SRG-APP-000176-WSR-000096 SV-54308r2_rule Medium
Description
The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the web server.
STIG Date
Web Server Security Requirements Guide 2014-11-17

Details

Check Text ( C-48128r2_chk )
If the web server does not have a private key, this is N/A.

Review the web server documentation and deployed configuration to determine whether only authenticated system administrators and the designated PKI Sponsor for the web server can access the web server private key.

If the private key is accessible by unauthenticated or unauthorized users, this is a finding.
Fix Text (F-47190r2_fix)
Configure the web server to ensure only authenticated and authorized users can access the web server's private key.