Apache Server 2.4 Windows Site Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000427-WSR-000186
Group -
The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
Non-DoD-approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place that are sufficient for DoD systems to rely on the identity asserte...Rule Medium Severity -
SRG-APP-000435-WSR-000148
Group -
SRG-APP-000439-WSR-000153
Group -
SRG-APP-000439-WSR-000154
Group -
Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.
A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers coul...Rule Medium Severity -
SRG-APP-000439-WSR-000155
Group -
Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.
Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the trans...Rule Medium Severity -
SRG-APP-000014-WSR-000006
Group -
SRG-APP-000516-WSR-000174
Group -
The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security basel...Rule Low Severity -
The Apache web server must perform server-side session management.
Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this data can occur on the client system or on the server. When the session...Rule Medium Severity -
The Apache web server must produce log records containing sufficient information to establish what type of events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct...Rule Medium Severity -
Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.
A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web applica...Rule Medium Severity -
Apache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The...Rule Medium Severity -
Anonymous user access to the Apache web server application directories must be prohibited.
To properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the ...Rule High Severity -
The Apache web server must generate unique session identifiers that cannot be reliably reproduced.
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. To maintain a connection or session, a web server will generate a session identi...Rule Medium Severity -
The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an "...Rule Medium Severity -
The Apache web server must set an inactive timeout for completing the TLS handshake.
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. Tim...Rule Medium Severity -
The Apache web server must be tuned to handle the operational requirements of the hosted application.
A denial of service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a Do...Rule Medium Severity -
The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.
A cookie is used when a web server needs to share data with the client's browser. The data is often used to remember the client when the client returns to the hosted application at a later date. A ...Rule Medium Severity -
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.