Apache Server 2.4 Windows Site Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security basel...Rule Low Severity -
The Apache web server must perform server-side session management.
Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this data can occur on the client system or on the server. When the session...Rule Medium Severity -
The Apache web server must produce log records containing sufficient information to establish what type of events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct...Rule Medium Severity -
Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.
A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web applica...Rule Medium Severity -
Apache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The...Rule Medium Severity -
Anonymous user access to the Apache web server application directories must be prohibited.
To properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the ...Rule High Severity -
The Apache web server must generate unique session identifiers that cannot be reliably reproduced.
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. To maintain a connection or session, a web server will generate a session identi...Rule Medium Severity -
The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an "...Rule Medium Severity -
The Apache web server must set an inactive timeout for completing the TLS handshake.
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. Tim...Rule Medium Severity -
The Apache web server must be tuned to handle the operational requirements of the hosted application.
A denial of service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a Do...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.