Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The web server must enforce approved authorizations for logical access to hosted applications and resources in accordance with applicable access control policies.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-55945 | SRG-APP-000033-WSR-000169 | SV-70199r1_rule | Medium |
| Description |
|---|
| To control access to sensitive information and hosted applications by entities that have been issued certificates by DoD-approved PKIs, the web server must be properly configured to incorporate a means of authorization that does not simply rely on the possession of a valid certificate for access. Access decisions must include a verification that the authenticated entity is permitted to access the information or application. Authorization decisions must leverage a variety of methods, such as mapping the validated PKI certificate to an account with an associated set of permissions on the system. If the web server relied only on the possession of the certificate and did not map to system roles and privileges, each user would have the same abilities and roles to make changes to the production system. |
| STIG | Date |
|---|---|
| Web Server Security Requirements Guide | 2014-11-17 |
Details
| Check Text ( C-56515r2_chk ) |
|---|
| The web server must be configured to perform an authorization check to verify that the authenticated entity should be granted access to the requested content. If the web server does not verify that the authenticated entity is authorized to access the requested content prior to granting access, this is a finding. |
| Fix Text (F-60823r1_fix) |
|---|
| Configure the web server to validate the authenticated entity's authorization to access requested content prior to granting access. |