8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly'

Information

Configure the Apache 'ServerTokens' directive to provide minimal information by setting the value to 'Prod' or 'ProductOnly'. The only version information given in the server HTTP response header will be 'Apache' rather than details on modules and versions installed.

Rationale:

Information is power, and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically. Script kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released.

Solution

Perform the following to implement the recommended state:

Add or modify the 'ServerTokens' directive as shown below to have the value of 'Prod' or 'ProductOnly':

ServerTokens Prod

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|18.9, CSCv7|14.7

Plugin: Unix

Control ID: e8dfd2a4d37aa304178009d7d53013d2e16411d172aec48625b38ee77d104a70