STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

The web server must be configured to explicitly deny access to the OS root.

DISA Rule

SV-33180r1_rule

Vulnerability Number

V-26323

Group Title

WA00540

Rule Version

WA00540 W22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Add the following after the root directory directive:

Order deny,allow
Deny from all

Check Contents

Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory

For every root directory entry (i.e. <Directory />) ensure the following exists after it:

Order deny,allow
Deny from all

If the statement above is not found in the root directory statement, this is a finding. If Allow directives are included in the root directory statement, this is a finding. If the root directory statement isn't found at all, this is a finding.

Vulnerability Number

V-26323

Documentable

False

Rule Version

WA00540 W22

Severity Override Guidance

Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory

For every root directory entry (i.e. <Directory />) ensure the following exists after it:

Order deny,allow
Deny from all

If the statement above is not found in the root directory statement, this is a finding. If Allow directives are included in the root directory statement, this is a finding. If the root directory statement isn't found at all, this is a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments