2.9 Ensure the Basic and Digest Authentication Modules are Disabled - auth_basic_module

Information

The Apache 'mod_auth_basic' and 'mod_auth_digest' modules support HTTP Basic Authentication and HTTP Digest Authentication respectively. The two authentication protocols are used to restrict access to users who provide a valid user name and password.

Rationale:

Neither HTTP Basic nor HTTP Digest authentication should be used as the protocols are out dated and no longer considered secure. Disabling the modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured access controls.

In the early days of the web, Basic HTTP Authentication was considered adequate if it was only used over HTTPS, so that the credentials would not be sent in the clear. Basic authentication uses Base64 to encode the credentials which are sent with every request. Base64 encoding is of course easily reversed, and is no more secure than clear text. The issues with using Basic Auth over HTTPS is that it does not meet current security standards for protecting the login credentials and protecting the authenticated
session. The following security issues plague the Basic Authentication protocol.

- The authenticated session has an indefinite length (as long as any browser window is open) and is not timed-out on the server when the session is idle.

- Application logout is required to invalidate the session on the server to limit, but in the case of Basic Authentication, there is no server-side session that can be invalidated.

- The credentials are remembered by the browser and stored in memory.

- There is no way to disable auto-complete, where the browser offers to store the passwords.
Passwords stored in the browser can be accessed if the client system or browser become
compromised.

- The credentials are more likely to be exposed since they are automatically sent with every
request.

- Administrators may at times have access to the HTTP headers sent in request for the purposes of diagnosing problems and detecting attacks. Having a user's credentials in the clear in the HTTP headers, may allow a user to repudiate actions performed, because the web or system
administrators also had access to the user's password.

The HTTP Digest Authentication is considered even worse than Basic Authentication because it stores the password in the clear on the server, and has the same session management issues as Basic Authentication.

Solution

Perform either one of the following to disable the HTTP Basic or HTTP Digest authentication modules:

1. For source builds with static modules run the Apache './configure' script without including the 'mod_auth_basic', and 'mod_auth_digest' in the '--enable-modules=configure' script options.

$ cd $DOWNLOAD_HTTPD
$ ./configure

2. For dynamically loaded modules comment out or remove the 'LoadModule' directive for 'mod_auth_basic', and 'mod_auth_digest' modules from the 'httpd.conf' file.

##LoadModule mod_auth_basic modules/mod_auth_basic.so
##LoadModule mod_auth_digest modules/mod_auth_digest.so

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: cdff63721a882201fee6e74ff5d83c3d5189aae1e48adf2b8c060cef4c622ca7