AS24-W1-000250 - The Apache web server must only contain services and functions necessary for operation - httpd-manual package

Information

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.

The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Review all pre-installed content and remove content that is not required. In particular, look for the unnecessary content that may be found in the document root directory, a configuration directory such as conf/extra directory, or as a UNIX/Linux package

Remove the default index.html or welcome page if it is a separate package. If the default welcome page is part of the main Apache httpd package as it is on Red Hat Linux, comment out the configuration as shown below. Removing a file such as the 'welcome.conf' is not recommended as it may be replaced if the package is updated.

#
# This configuration file enables the default 'Welcome'
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
##<LocationMatch '^/+$'>
## Options -Indexes
## ErrorDocument 403 /error/noindex.html
##</LocationMatch>

Remove the Apache User Manual content or comment out configurations referencing the manual:

# yum erase httpd-manual

Remove or comment out any Server Status handler configuration:

#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the '.example.com' to match your domain to enable.
#
##<Location /server-status>
## SetHandler server-status
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>

Remove or comment out any Server Information handler configuration:

#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the '.example.com' to match your domain to enable.
#
##<Location /server-info>
## SetHandler server-info
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>

Remove or comment out any other handler configuration such as perl-status:

# This will allow remote server configuration reports, with the URL of
# http://servername/perl-status
# Change the '.example.com' to match your domain to enable.
#
##<Location /perl-status>
## SetHandler perl-script
## PerlResponseHandler Apache2::Status
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>

The default source build provides extra content available in the /usr/local/apache2/conf/extra/ directory, but the configuration of most of the extra content is commented out by default. In particular, the inclusion of conf/extra/proxyhtml.conf is not commented out in 'httpd.conf':

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
# Language settings
#Include conf/extra/httpd-languages.conf
# User home directories
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# Various default settings
#Include conf/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf

For applications developed in-house, ensure that development artifacts (sample data and scripts; unused libraries, components, debug code; or tools) are not included in the deployed software or accessible in the production environment.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Windows_Y24M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-214319r960963_rule, STIG-ID|AS24-W1-000250, STIG-Legacy|SV-102459, STIG-Legacy|V-92371, Vuln-ID|V-214319

Plugin: Windows

Control ID: 1ffdb4e8f0cad3e08cb3359209945a37a0801f3aba080957ad69fb3b94eacf7a