V-206419
SV-206419r961353_rule
CAT II
Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.
From: Web Server Security Requirements Guide (V4R4)
Description
<VulnDiscussion>By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the web server documentation and configuration to determine if accounts used for administrative duties of the web server are separated from non-privileged accounts.
If non-privileged accounts can access web server security-relevant information, this is a finding.
Fix Text
Set up accounts and roles that can be used to perform web server security-relevant tasks and remove or modify non-privileged account access to security-relevant tasks.
CCI Reference
CCI-002235- Created
- 2026-04-07 20:08:40
- Last Updated
- 2026-04-07 20:08:40