4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf no Allow directives exist'

Information

The Apache 'Directory' directive allows for directory-specific configuration of access controls and many other features and options. One important usage is to create a default deny policy that does not allow access to OS directories and files, except for those specifically allowed. This is done by denying access to the OS root directory.

Rationale:

One aspect of Apache that is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can and will serve it to clients. Having a default deny helps prevent unintended access. The Order directive is important as it provides for other Allow directives to override the default deny.

Solution

Perform the following to implement the recommended state:

1. Search the Apache configuration files ('httpd.conf' and any included configuration files) to find a root '<Directory>' element.
2. Have a single 'Order' directive and set its value to 'deny, allow'.
3. Have a 'Deny' directive and set its value to 'from all'.
4. Remove all 'Allow' directives from the root '<Directory>' element.

. . .
Order deny,allow
Deny from all
. . .

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: Unix

Control ID: 417b2953d8889757289d9d7de27f94b339a33aff699d92d08cf00eed772e9f87