UCF STIG Viewer Logo

APACHE SERVER 2.0 for Windows


Date Finding Count (55)
2015-08-27 CAT I (High): 5 CAT II (Med): 45 CAT III (Low): 5
STIG Description
All directives specified in this STIG must be specifically set (i.e. the server is not allowed to revert to programmed defaults for these directives). Included files should be reviewed if they are used. Procedures for reviewing included files are included in the overview document. The use of .htaccess files are not authorized for use according to the STIG. However, if they are used, there are procedures for reviewing them in the overview document. The Web Policy STIG should be used in addition to the Apache Site and Server STIGs in order to do a comprehensive web server review.

Available Profiles

Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-13733 High Server side includes (SSIs) must run with execution capability disabled.
V-13621 High All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
V-13591 High Classified web servers will be afforded physical security commensurate with the classification of its content.
V-2247 High Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities.
V-2246 High The web server must use a vendor-supported version of the web server software.
V-13738 Medium The HTTP request header field size must be limited.
V-13739 Medium The HTTP request line must be limited.
V-13731 Medium All interactive programs must be placed in a designated directory with appropriate permissions.
V-13732 Medium The FollowSymLinks setting must be disabled.
V-13734 Medium The MultiViews directive must be disabled.
V-13735 Medium Directory indexing must be disabled on directories not containing index files.
V-13736 Medium The HTTP request message body size must be limited.
V-13737 Medium The HTTP request header fields must be limited.
V-26393 Medium The ability to override the access configuration for the OS root directory must be disabled.
V-26396 Medium HTTP request methods must be limited.
V-13620 Medium A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
V-2234 Medium Public web server resources must not be shared with private assets.
V-2235 Medium The service account used to run the web service must have its password changed at least annually.
V-2236 Medium Installation of a compiler on production web server must be prohibited.
V-2232 Medium The web server service password(s) must be entrusted to the SA or Web Manager.
V-26294 Medium Web server status module will be disabled.
V-2243 Medium A private web server must be located on a separate controlled access subnet.
V-2259 Medium Web server system files must conform to minimum file permission requirements.
V-2271 Medium Monitoring software must include CGI or equivalent programs in its scope.
V-2255 Medium The web server’s htpasswd files (if present) must reflect proper ownership and permissions.
V-26299 Medium The web server must not be configured as a proxy server.
V-6577 Medium A web server installation must be segregated from other services.
V-13687 Medium Remote authors or content providers must have all files scanned for malware before uploading files to the Document Root directory.
V-13726 Medium The KeepAliveTimeout directive must be defined.
V-13725 Medium The KeepAlive directive must be enabled.
V-13724 Medium The Timeout directive must be properly set.
V-26305 Medium The process ID (PID) file must be properly secured.
V-2264 Medium Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator.
V-2261 Medium A public web server must limit e-mail to outbound only.
V-26302 Medium User specific directories must not be globally enabled.
V-13613 Medium The site software used with the web server must have all applicable security patches applied and documented.
V-2242 Medium A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
V-13672 Medium The private web server must use an approved DoD certificate validation process.
V-26285 Medium Active software modules must be minimized.
V-26287 Medium Web Distributed Authoring and Versioning (WebDAV) must be disabled.
V-2248 Medium Web administration tools must be restricted to the web manager and the web manager’s designees.
V-13619 Medium The web server, although started by superuser or privileged account, must run using a non-privileged account.
V-26323 Medium The web server must be configured to explicitly deny access to the OS root.
V-26322 Medium The ScoreBoard file must be properly secured.
V-60709 Medium The web server must remove all export ciphers from the cipher suite.
V-26368 Medium Automatic directory indexing must be disabled.
V-26327 Medium The URL-path name must be set to the file path name or the directory path name.
V-26326 Medium The web server must be configured to listen on a specific IP address and port.
V-26325 Medium The TRACE method must be disabled.
V-26324 Medium Web server options for the OS root must be disabled.
V-6485 Low Web server content and configuration files must be part of a routine backup program.
V-2230 Low Backup interactive scripts on the production web server must be prohibited.
V-2251 Low All utility programs, not necessary for operations, must be removed or disabled.
V-6724 Low Web server and/or operating system information must be protected.
V-2257 Low Administrative users and groups that have access rights to the web server must be documented.