Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-206419 | SRG-APP-000340-WSR-000029 | SV-206419r961353_rule | CCI-002235 | medium |
| Description | ||||
| By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server. | ||||
| STIG | Date | |||
| Web Server Security Requirements Guide | 2025-02-12 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-6(10)
1.00
- DISA · 4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.7
1.00
- DISA · 4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002235
1.00
- DISA · 4 · disa_xccdf · related
Details
Check Text (C-206419r961353_chk)
Review the web server documentation and configuration to determine if accounts used for administrative duties of the web server are separated from non-privileged accounts.
If non-privileged accounts can access web server security-relevant information, this is a finding.
Fix Text (F-6680r377850_fix)
Set up accounts and roles that can be used to perform web server security-relevant tasks and remove or modify non-privileged account access to security-relevant tasks.