STIGQter STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide

Version: 1

Release: 13 Benchmark Date: 25 Jan 2019

SV-33092r1_ruleBackup interactive scripts on the production web server must be prohibited.
SV-33048r1_ruleThe web server service password(s) must be entrusted to the SA or Web Manager.
SV-33044r2_rulePublic web server resources must not be shared with private assets.
SV-36489r4_ruleThe service account used to run the web service must have its password changed at least annually.
SV-33061r3_ruleInstallation of a compiler on production web server must be prohibited.
SV-33012r2_ruleA public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
SV-33013r2_ruleA private web server must be located on a separate controlled access subnet.
SV-33068r2_ruleThe web server must use a vendor-supported version of the web server software.
SV-36509r1_ruleAdministrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities.
SV-33072r4_ruleWeb administration tools must be restricted to the web manager and the web manager’s designees.
SV-33062r2_ruleAll utility programs, not necessary for operations, must be removed or disabled.
SV-36561r2_ruleThe web server’s htpasswd files (if present) must reflect proper ownership and permissions.
SV-6881r1_ruleThe access control files are owned by a privileged web server account.
SV-33017r1_ruleAdministrative users and groups that have access rights to the web server must be documented.
SV-33078r2_ruleWeb server system files must conform to minimum file permission requirements.
SV-33082r1_ruleA public web server must limit e-mail to outbound only.
SV-33095r1_ruleWscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator.
SV-33089r2_ruleMonitoring software must include CGI or equivalent programs in its scope.
SV-33014r2_ruleWeb server content and configuration files must be part of a routine backup program.
SV-33070r1_ruleA web server installation must be segregated from other services.
SV-33098r1_ruleWeb server and/or operating system information must be protected.
SV-33015r2_ruleClassified web servers will be afforded physical security commensurate with the classification of its content.
SV-33016r2_ruleThe site software used with the web server must have all applicable security patches applied and documented.
SV-36607r1_ruleThe web server, although started by superuser or privileged account, must run using a non-privileged account.
SV-33084r1_ruleA private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
SV-33087r1_ruleAll web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
SV-33065r2_ruleThe private web server must use an approved DoD certificate validation process.
SV-40826r1_ruleRemote authors or content providers must have all files scanned for malware before uploading files to the Document Root directory.
SV-32980r3_ruleThe Timeout directive must be properly set.
SV-32987r3_ruleThe KeepAlive directive must be enabled.
SV-32880r3_ruleThe KeepAliveTimeout directive must be defined.
SV-32998r1_ruleAll interactive programs must be placed in a designated directory with appropriate permissions.
SV-33001r1_ruleThe FollowSymLinks setting must be disabled.
SV-33003r1_ruleServer side includes (SSIs) must run with execution capability disabled.
SV-33004r2_ruleThe MultiViews directive must be disabled.
SV-33006r2_ruleDirectory indexing must be disabled on directories not containing index files.
SV-33008r1_ruleThe HTTP request message body size must be limited.
SV-33009r1_ruleThe HTTP request header fields must be limited.
SV-33010r3_ruleThe HTTP request header field size must be limited.
SV-33011r3_ruleThe HTTP request line must be limited.
SV-33167r1_ruleActive software modules must be minimized.
SV-33169r2_ruleWeb Distributed Authoring and Versioning (WebDAV) must be disabled.
SV-33171r2_ruleWeb server status module must be disabled.
SV-33173r3_ruleThe web server must not be configured as a proxy server.
SV-33175r2_ruleUser specific directories must not be globally enabled.
SV-33177r1_ruleThe process ID (PID) file must be properly secured.
SV-33178r2_ruleThe ScoreBoard file must be properly secured.
SV-33180r1_ruleThe web server must be configured to explicitly deny access to the OS root.
SV-33182r1_ruleWeb server options for the OS root must be disabled.
SV-33183r1_ruleThe TRACE method must be disabled.
SV-33184r1_ruleThe web server must be configured to listen on a specific IP address and port.
SV-33185r1_ruleThe URL-path name must be set to the file path name or the directory path name.
SV-33225r1_ruleAutomatic directory indexing must be disabled.
SV-33237r1_ruleThe ability to override the access configuration for the OS root directory must be disabled.
SV-33238r2_ruleHTTP request methods must be limited.
SV-75161r1_ruleThe web server must remove all export ciphers from the cipher suite.