4.1 Ensure Access to OS Root Directory Is Denied By Default - deny

Information

The Apache Directory directive allows for directory specific configuration of access controls and many other features and options. One important usage is to create a default deny policy that does not allow access to operating system directories and files, except for those specifically allowed. This is done by denying access to the OS root directory.

Rationale:

One aspect of Apache, which is occasionally misunderstood, is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can and will serve it to clients. Having a default deny is a predominate security principle, and then helps prevent the unintended access, and we do that in this case by denying access to the OS root directory using either of two methods but not both:

Using the Apache Deny directive along with an Order directive.

Using the Apache Require directive.

Either method is effective. The Order/Deny/Allow combination are now deprecated; they provide three passes where all the directives are processed in the specified order. In contrast, the Require directive works on the first match similar to firewall rules. The Require directive is the default for Apache 2.4 and is demonstrated in the remediation procedure as it may be less likely to be misunderstood.

Solution

Perform the following to implement the recommended state:

Search the Apache configuration files (httpd.conf and any included configuration files) to find a root <Directory> element.

Add a single Require directive and set the value to all denied

Remove any Deny and Allow directives from the root <Directory> element.

<Directory>
. . .
Require all denied
. . .
</Directory>

Default Value:

The following is the default root directory configuration:

<Directory>

. . .

Require all denied

. . .

</Directory>

See Also

https://workbench.cisecurity.org/files/4548