STIGQter: STIG Summary: APACHE 2.2 Site for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019: STIGQter: STIG Summary: APACHE 2.2 Site for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:SV-14297r3_rule
V-2262
WG340
WG340 W22
CAT II
10
Edit the httpd.conf file and set the SSLProtocol to include “-SSLv2 -SSLv3" and the SSLEngine to “On”. For Apache 2.2.22 and older, set SSLProtocol to "TLSv1" or higher.
Verify that the ssl module is loaded.
Open a command prompt and run the following command from the directory where httpd.exe is located: httpd –M
This will provide a list of all the loaded modules. Verify that the “ssl_module” is loaded.
If this module is not found, this is a finding.
After determining that the ssl module is active, locate the Apache httpd.conf file.
If unable to locate the file, perform a search of the system to find the file.
Open the httpd.conf file with an editor such as Notepad and search for the following uncommented directives: SSLProtocol and SSLEngine
For all enabled SSLProtocol directives, ensure the “-SSLv2 -SSLv3” switches to disable SSL are included in the directive.
If the SSLProtocol directive is not set to explicitly disable SSLv2 and SSLv3, this is a finding.
Note: For Apache 2.2.22 and older, all enabled SSLProtocol directives must be set to "TLSv1" or higher or this is a finding.
For all enabled SSLEngine directives, ensure they are set to “on”.
Both the SSLProtocol and SSLEngine directives must be set correctly or this is a finding.
Note: In some cases web servers are configured in an environment to support load balancing. This configuration most likely uses a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the websites may be installed on the content switch versus the individual websites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users must not have the ability to bypass the content switch to access the websites.
V-2262
False
WG340 W22
Verify that the ssl module is loaded.
Open a command prompt and run the following command from the directory where httpd.exe is located: httpd –M
This will provide a list of all the loaded modules. Verify that the “ssl_module” is loaded.
If this module is not found, this is a finding.
After determining that the ssl module is active, locate the Apache httpd.conf file.
If unable to locate the file, perform a search of the system to find the file.
Open the httpd.conf file with an editor such as Notepad and search for the following uncommented directives: SSLProtocol and SSLEngine
For all enabled SSLProtocol directives, ensure the “-SSLv2 -SSLv3” switches to disable SSL are included in the directive.
If the SSLProtocol directive is not set to explicitly disable SSLv2 and SSLv3, this is a finding.
Note: For Apache 2.2.22 and older, all enabled SSLProtocol directives must be set to "TLSv1" or higher or this is a finding.
For all enabled SSLEngine directives, ensure they are set to “on”.
Both the SSLProtocol and SSLEngine directives must be set correctly or this is a finding.
Note: In some cases web servers are configured in an environment to support load balancing. This configuration most likely uses a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the websites may be installed on the content switch versus the individual websites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users must not have the ability to bypass the content switch to access the websites.
M
Web Administrator
161