5.4 Ensure Default HTML Content Is Removed - 'Server Status handler does not exist'

Information

Apache installations have default content that is not needed or appropriate for production use. The primary function for this sample content is to provide a default web site, provide user manuals or to demonstrate special features of the web server. All content that is not needed should be removed.

Rationale:

Historically these sample content and features have been remotely exploited and can provide different levels of access to the server. In the Microsoft arena, Code Red exploited a problem with the index service provided by the Internet Information Service. Usually these routines are not written for production use and consequently little thought was given to security in their development.

Solution

Review all pre-installed content and remove content which is not required. In particular look for the unnecessary content which may be found in the document root directory, a configuration directory such as conf/extra directory, or as a Unix/Linux package.

Remove the default index.html or welcome page if it is a separate package. If it is part of main Apache httpd package such as it is on Red Hat Linux, then comment out the configuration as shown below. Removing a file such as the welcome.conf, is not recommended as it may get replaced if the package is updated.

#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
## <LocationMatch "^/+$">
## Options -Indexes
## ErrorDocument 403 /error/noindex.html
## </LocationMatch>

Remove the Apache user manual content or comment out configurations referencing the manual

# yum erase httpd-manual

Remove or comment out any Server Status handler configuration.

#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.
#
## <Location /server-status>
## SetHandler server-status
## Order deny,allow
## Deny from all
## Allow from .example.com
## </Location>

Remove or comment out any Server Information handler configuration.

#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".example.com" to match your domain to enable.
#
## <Location /server-info>
## SetHandler server-info
## Order deny,allow
## Deny from all
## Allow from .example.com
## </Location>

Remove or comment out any other handler configuration such as perl-status.

# This will allow remote server configuration reports, with the URL of
# http://servername/perl-status
# Change the ".example.com" to match your domain to enable.
#
## <Location /perl-status>
## SetHandler perl-script
## PerlResponseHandler Apache2::Status
## Order deny,allow
## Deny from all
## Allow from .example.com
## </Location>

Default Value:

The default source build provides extra content available in the /usr/local/apache2/conf/extra/ directory, but the configuration of most of the extra content is commented out by default. In particular, the include of conf/extra/proxy-html.conf is not commented out in the httpd.conf.

# Server-pool management (MPM specific)

#Include conf/extra/httpd-mpm.conf

# Multi-language error messages

#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings

#Include conf/extra/httpd-autoindex.conf

# Language settings

#Include conf/extra/httpd-languages.conf

# User home directories

#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration

#Include conf/extra/httpd-info.conf

# Virtual hosts

#Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual

#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)

#Include conf/extra/httpd-dav.conf

# Various default settings

#Include conf/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1

<IfModule proxy_html_module>

Include conf/extra/proxy-html.conf

</IfModule>

# Secure (SSL/TLS) connections

#Include conf/extra/httpd-ssl.conf

Also, the only other default content is a minimal barebones index.html in the document root which contains.

<html>

<body>

<h1>It works!</h1>

</body>

</html>

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Unix

Control ID: 3a4bf7f30836f63e1ea6a6bf96ccc9800db5b65d666156e4cbc6d150e0b3e32b