Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-55947	SRG-APP-000340-WSR-000029	SV-70201r1_rule		Medium

Description
By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server.

Description

By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server.

STIG	Date
Web Server Security Requirements Guide	2014-11-17

Details

Check Text ( C-56517r2_chk )
Review the web server documentation and configuration to determine if accounts used for administrative duties of the web server are separated from non-privileged accounts. If non-privileged accounts can access web server security-relevant information, this is a finding.

Fix Text (F-60825r1_fix)
Set up accounts and roles that can be used to perform web server security-relevant tasks and remove or modify non-privileged account access to security-relevant tasks.