Detections
Analytics
AS24-W1-000250 - The Apache web server must only contain services and functions necessary for operation - httpd-manual package
Information
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Review all pre-installed content and remove content that is not required. In particular, look for the unnecessary content that may be found in the document root directory, a configuration directory such as conf/extra directory, or as a UNIX/Linux packageRemove the default index.html or welcome page if it is a separate package. If the default welcome page is part of the main Apache httpd package as it is on Red Hat Linux, comment out the configuration as shown below. Removing a file such as the 'welcome.conf' is not recommended as it may be replaced if the package is updated.
#
# This configuration file enables the default 'Welcome'
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
##<LocationMatch '^/+$'>
## Options -Indexes
## ErrorDocument 403 /error/noindex.html
##</LocationMatch>
Remove the Apache User Manual content or comment out configurations referencing the manual:
# yum erase httpd-manual
Remove or comment out any Server Status handler configuration:
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the '.example.com' to match your domain to enable.
#
##<Location /server-status>
## SetHandler server-status
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>
Remove or comment out any Server Information handler configuration:
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the '.example.com' to match your domain to enable.
#
##<Location /server-info>
## SetHandler server-info
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>
Remove or comment out any other handler configuration such as perl-status:
# This will allow remote server configuration reports, with the URL of
# http://servername/perl-status
# Change the '.example.com' to match your domain to enable.
#
##<Location /perl-status>
## SetHandler perl-script
## PerlResponseHandler Apache2::Status
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>
The default source build provides extra content available in the /usr/local/apache2/conf/extra/ directory, but the configuration of most of the extra content is commented out by default. In particular, the inclusion of conf/extra/proxyhtml.conf is not commented out in 'httpd.conf':
# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
# Language settings
#Include conf/extra/httpd-languages.conf
# User home directories
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# Various default settings
#Include conf/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
For applications developed in-house, ensure that development artifacts (sample data and scripts; unused libraries, components, debug code; or tools) are not included in the deployed software or accessible in the production environment.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Windows_Y24M07_STIG.zip
Item Details
Audit Name: DISA STIG Apache Server 2.4 Windows Server v3r1
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-214319r960963_rule, STIG-ID|AS24-W1-000250, STIG-Legacy|SV-102459, STIG-Legacy|V-92371, Vuln-ID|V-214319
Plugin: Windows
Control ID: 1ffdb4e8f0cad3e08cb3359209945a37a0801f3aba080957ad69fb3b94eacf7a