Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Automatic directory indexing must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-26368 | WA00515 W20 | SV-36620r1_rule | DCSQ-1 DCSW-1 | Medium |
| Description |
|---|
| To identify the type of web servers and versions software installed it is common for attackers to scan for icons or special content specific to the server type and version. A simple request like http://example.com/icons/apache_pb2.png may tell the attacker that the server is Apache 2.2 as shown below. The many icons are used primary for auto indexing, which is recommended to be disabled. |
| STIG | Date |
|---|---|
| APACHE SERVER 2.0 for Windows | 2015-08-27 |
Details
| Check Text ( C-35717r1_chk ) |
|---|
| Open the httpd.conf file. Search for an uncommented LoadModule autoindex_module directive statement. If this statement is found uncommented, this is a finding. |
| Fix Text (F-30959r1_fix) |
|---|
| Disable the autoindex_module by adding a "#" in front of it within the httpd.conf file, and restarting the Apache httpd service. |