STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

Web server system files must conform to minimum file permission requirements.

DISA Rule

SV-33078r2_rule

Vulnerability Number

V-2259

Group Title

WG300

Rule Version

WG300 W22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Set file permissions on the web server systems files to meet minimum file permissions requirements.

Check Contents

Locate and examine the httpd.conf file. Look for the section: <ServerRoot>. This section will contain the path to the configuration and binary files.
Note: This check also applies to any other directory where CGI scripts are located.

Permissions on this directory files should be:

Administrators: Full control
System: Full Control
WebAdmin: Full Control
WebUser: Read, Execute
Apache Service Account: Read, Execute

Permissions for the /config directory should be as follows:
(This is a sub directory to the main apache directory identified above)
Administrators: Full control
System: Read
WebAdmin: Modify
Apache Service Account: Read

Permissions for the /bin directory should be as follows:
(This is a sub directory to the main apache directory identified above)
Administrators: Full control
System: Read, Execute
WebAdmin: Modify
Apache Service Account: Read, Execute

Permissions for the /logs directory should be as follows:
(This is a sub directory to the main apache directory identified above)
Administrators: Read
System: Full Control
WebAdmin: Read
Apache Service Account: Modify
Auditors: Full Control

Permissions for the /htdocs directory (DocumentRoot) should be as follows:
(This is a sub directory to the main apache directory identified above)
Administrators: Full control
System: Read
WebAdmin: Modify
Apache Service Account: Read

If any of the above permissions are less restrictive, this is a finding.

Note: There may be additional directories based the local implementation, and permissions should apply to directories of similar content. Ex. all web content directories should follow the permissions for /htdocs.

Vulnerability Number

V-2259

Documentable

False

Rule Version

WG300 W22

Severity Override Guidance

Locate and examine the httpd.conf file. Look for the section: <ServerRoot>. This section will contain the path to the configuration and binary files.
Note: This check also applies to any other directory where CGI scripts are located.

Permissions on this directory files should be:

Administrators: Full control
System: Full Control
WebAdmin: Full Control
WebUser: Read, Execute
Apache Service Account: Read, Execute

Permissions for the /config directory should be as follows:
(This is a sub directory to the main apache directory identified above)
Administrators: Full control
System: Read
WebAdmin: Modify
Apache Service Account: Read

Permissions for the /bin directory should be as follows:
(This is a sub directory to the main apache directory identified above)
Administrators: Full control
System: Read, Execute
WebAdmin: Modify
Apache Service Account: Read, Execute

Permissions for the /logs directory should be as follows:
(This is a sub directory to the main apache directory identified above)
Administrators: Read
System: Full Control
WebAdmin: Read
Apache Service Account: Modify
Auditors: Full Control

Permissions for the /htdocs directory (DocumentRoot) should be as follows:
(This is a sub directory to the main apache directory identified above)
Administrators: Full control
System: Read
WebAdmin: Modify
Apache Service Account: Read

If any of the above permissions are less restrictive, this is a finding.

Note: There may be additional directories based the local implementation, and permissions should apply to directories of similar content. Ex. all web content directories should follow the permissions for /htdocs.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments