APACHE 2.2 Server for Windows Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally n...Rule High Severity -
All interactive programs must be placed in a designated directory with appropriate permissions.
CGI scripts are one of the most exploited vulnerabilities on web servers. CGI script execution in Apache can be accomplished via two methods. The first method uses the ScriptAlias directive to te...Rule Medium Severity -
The MultiViews directive must be disabled.
Apache HTTPD supports content negotiation as described in the HTTP/1.1 specification. It can choose the best representation of a resource based on the browser-supplied preferences for media type, l...Rule Medium Severity -
The HTTP request message body size must be limited.
Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite s...Rule Medium Severity -
The HTTP request header field size must be limited.
Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite s...Rule Medium Severity -
The HTTP request line must be limited.
Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite s...Rule Medium Severity -
The process ID (PID) file must be properly secured.
The PidFile directive sets the path to the process ID file to which the server records the process ID of the server, which is useful for sending a signal to the server process or for checking on th...Rule Medium Severity -
The web server must be configured to listen on a specific IP address and port.
The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the sy...Rule Medium Severity -
The web server must remove all export ciphers from the cipher suite.
During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with...Rule Medium Severity -
A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity....Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.