APACHE 2.2 Server for Windows Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally n...Rule High Severity -
All interactive programs must be placed in a designated directory with appropriate permissions.
CGI scripts are one of the most exploited vulnerabilities on web servers. CGI script execution in Apache can be accomplished via two methods. The first method uses the ScriptAlias directive to te...Rule Medium Severity -
The MultiViews directive must be disabled.
Apache HTTPD supports content negotiation as described in the HTTP/1.1 specification. It can choose the best representation of a resource based on the browser-supplied preferences for media type, l...Rule Medium Severity -
The HTTP request message body size must be limited.
Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite s...Rule Medium Severity -
The HTTP request header field size must be limited.
Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite s...Rule Medium Severity -
The HTTP request line must be limited.
Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite s...Rule Medium Severity -
The process ID (PID) file must be properly secured.
The PidFile directive sets the path to the process ID file to which the server records the process ID of the server, which is useful for sending a signal to the server process or for checking on th...Rule Medium Severity -
The web server must be configured to listen on a specific IP address and port.
The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the sy...Rule Medium Severity -
The web server must remove all export ciphers from the cipher suite.
During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with...Rule Medium Severity -
A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity....Rule Medium Severity -
Web administration tools must be restricted to the web manager and the web manager’s designees.
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damag...Rule Medium Severity -
The web server’s htpasswd files (if present) must reflect proper ownership and permissions.
In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.