Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-26368 | WA00515 W22 | SV-33225r1_rule | DCSQ-1 DCSW-1 | Medium |
Description |
---|
To identify the type of web servers and versions software installed it is common for attackers to scan for icons or special content specific to the server type and version. A simple request like http://example.com/icons/apache_pb2.png may tell the attacker that the server is Apache 2.2 as shown below. The many icons are used primary for auto indexing, which is recommended to be disabled. |
STIG | Date |
---|---|
APACHE SERVER 2.2 for Windows | 2013-04-11 |
Check Text ( C-33829r1_chk ) |
---|
Open a command prompt window. Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>). Enter the following command and press Enter: httpd –M This will provide a list of all loaded modules. If the following module is found this is a finding: autoindex_module. |
Fix Text (F-29494r1_fix) |
---|
Disable the autoindex_module by adding a "#" in front of it within the httpd.conf file, and restarting the Apache httpd service. |