UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ability to override the access configuration for the OS root directory must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-26393 WA00547 W22 SV-33237r1_rule DCSP-1 Medium
Description
The Apache OverRide directive allows for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the file system. When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.
STIG Date
APACHE SERVER 2.2 for Windows 2015-08-27

Details

Check Text ( C-33834r1_chk )
Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory

For every root directory entry (i.e. ) ensure the following entry exists after it:

AllowOverride None

If the statement above is not found in the root directory statement, this is a finding. If Allow directives are included in the root directory statement, this is a finding. If the root directory statement is not found at all, this is a finding.
Fix Text (F-29500r1_fix)
Add the following after the Directory directive:

AllowOverride None