Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-206419 | SRG-APP-000340-WSR-000029 | SV-206419r961353_rule | CCI-002235 | medium |
| Description | ||||
| By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server. | ||||
| STIG | Date | |||
| Web Server Security Requirements Guide | 2025-02-12 | |||
Details
Check Text (C-206419r961353_chk)
Review the web server documentation and configuration to determine if accounts used for administrative duties of the web server are separated from non-privileged accounts.
If non-privileged accounts can access web server security-relevant information, this is a finding.
Fix Text (F-6680r377850_fix)
Set up accounts and roles that can be used to perform web server security-relevant tasks and remove or modify non-privileged account access to security-relevant tasks.