Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: DocumentRoot & ServerRoot Note the location following each enabled DocumentRoot and ServerRoot directives. Navigate to the DocumentRoot, and ServerRoot, using the path identified above. Right click on the directory to be examined. Select Properties > Select the “Sharing” tab. If either folder is shared, this is a finding. NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the ISSM/ISSO, the shares are restricted to only allow administrators write access, the use of the shares does not bypass the sites approval process for posting new content to the web server, and developers are only permitted read access to these directories.
Remove the shares from the applicable directories.
To preclude access to the servers root directory, ensure the following directive is in the httpd.conf file. This entry will also stop users from setting up .htaccess files which can override security features configured in httpd.conf. <DIRECTORY /[website root dir]> AllowOverride None </DIRECTORY> If the AllowOverride None is not set, this is a finding.
Enter the statement above into httpd.conf file for all web site root directories.
Query the SA to determine if CGI scripts are used as part of the web site. If interactive scripts are being used, check the permissions of these files to ensure they meet the following permissions: interactive script files Administrators Full Control WebManagers Modify System Read/Execute Webserver Account Read/Execute If the interactive scripts do not meet the above permissions or are less restrictive, this is a finding.
Ensure the CGI scripts are owned by root, the service account running the web service, the web author or the SA, and that the anonymous web user account has Read Only or Read - Execute permissions to such scripts.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: MaxKeepAliveRequests Every enabled MaxKeepAliveRequests value needs to be 100 or greater. If any directive is less than 100, this is a finding.
Set the MaxKeepAliveRequests directive to 100 or greater.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: DocumentRoot Note the name of the DocumentRoot directory. Review the results for each document root directory and its subdirectories. If a directory does not contain an index.html or equivalent default document, this is a finding.
Add a default document to the applicable directories.
If web administration is performed at the console, this check is N/A. If web administration is performed remotely the following checks will apply: 1. If administration of the server is performed remotely, it will only be performed securely by system administrators. 2. If web site administration or web application administration has been delegated, those users will be documented and approved by the ISSO. 3. Remote administration must be in compliance with any requirements contained within the Windows Server STIGs, and any applicable network STIGs. 4. Remote administration of any kind will be restricted to documented and authorized personnel. 5. All users performing remote administration must be authenticated. 6. All remote sessions will be encrypted and they will utilize FIPS 140-2 approved protocols. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. Review with site management how remote administration, if applicable, is configured on the web site. If remote management meets the criteria listed above, this is not a finding. If remote management is utilized and does not meet the criteria listed above, this is a finding.
Ensure the web server administration is only performed over a secure path.
Open the httpd.conf file. Search for a commented LoadModule log_config_module directive statement. If this statement is found commented, this is a finding.
Uncomment the LoadModule log_config_module statement and restart the Apache service.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: ErrorLog & CustomLog Navigate to the location of the file specified after each enabled ErrorLog & CustomLog directive and verify the permissions assigned to these files. Right click on the file to be examined. Select Properties > Select the “Security” tab. Permissions greater than Read & Execute should be allowed for only the account assigned to the Apache server service, and the Auditors Group. If the SA, Web Manager or users other than the Auditors group have greater than read access to the log files, this is a finding. If anyone other than the Auditors, Administrators, Web Managers, or the account assigned to the Apache server service has access to the log files, this is a finding.
Remove the unauthorized permissions from the applicable accounts.
Query the ISSO, the SA, and the web administrator to find out if development web sites are being housed on production web servers. Definition: A production web server is any web server connected to a production network, regardless of its role. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? The reviewer can also do a manual check or perform a navigation of the web site via a browser to confirm the information provided from interviewing the web staff. Graphics or texts which proclaim Under Construction or Under Development are frequently used to mark folders or directories in that status. If Under Construction or Under Development web content is discovered on the production web server, this is a finding.
The presences of portions of the web site that proclaim Under Construction or Under Development are clear indications that a production web server is being used for development. The web administrator will ensure that all pages that are in development are not installed on a production web server.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: DocumentRoot, Alias, ScriptAlias, & ScriptAliasMatch Navigate to the locations specified after each enabled DocumentRoot, Alias, ScriptAlias, & ScriptAliasMatch directives. Right click on the file or directory to be examined. Select Properties. Select the “Security” tab. The only accounts listed should be the web administrator, developers, and the account assigned to run the apache server service. If accounts that do not need access to these directories are listed, this is a finding. If the permissions assigned to the Apache web server service are greater than Read for locations associated with the DocumentRoot and Alias directives, this is a finding. If the permissions assigned to the Apache web server service are greater than Read & Execute for locations associated with ScriptAlias and ScriptAliasMatch, this is a finding.
Assign the appropriate permissions to the applicable directories and files.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor and search for the following uncommented directives: DocumentRoot & Alias Navigate to the location(s) specified in the Include statement(s), and review each file for the following uncommented directives: DocumentRoot & Alias At the top level of the directories identified after the enabled DocumentRoot & Alias directives, verify that a “robots.txt” file does not exist. If the file does exist, this is a finding.
Remove the robots.txt file from the web site. If there is information on the web site that needs protection from search engines and public view, then other methods must be used to safeguard the data.
Open the httpd.conf file. Search for an uncommented LoadModule ssl_module directive statement. If this statement is found commented, this is a finding. After determining that the ssl module is active search for the following uncommented directives: SSLProtocol & SSLEngine For all enabled SSLProtocol directives ensure they are set to “TLSv1”. If the SSLProtocol directive is not set to TLSv1, this is a finding. For all enabled SSLEngine directives ensure they are set to “on”. Both the SSLProtocol and SSLEngine directives must be set correctly or this is a finding. NOTE: In some cases web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the web sites may be installed on the content switch vs, the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.
Edit the httpd.conf file to load the ssl_module; set the SSLProtocol to TLSv1; and set the SSLEngine to On.
Open browser window and browse to the appropriate site. Before entry to the site, you should be presented with the server's DoD PKI credentials. Review these credentials for authenticity. Find an entry which cites: Issuer: CN = DOD CLASS 3 CA-3 OU = PKI OU = DoD O = U.S. Government C = US If the server is running as a public web server, this finding should be Not Applicable. NOTE: In some cases, the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificate for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the web sites.
Configure the private web site to use a valid DoD certificate.
Search the web content and scripts directories (found in check WG290) for .java and .jpp files. If either file type is found, this is a finding. Note: Executables such as java.exe, jre.exe, and jrew.exe are permitted.
Remove the appropriate files from the web server.
Locate the directories containing the CGI scripts. These directories should be language-specific (e.g., PERL, ASP, JS, JSP, etc.). Right-click on the web content directory and the related CGI directories. On the Properties tab, examine the access rights for the CGI, cgi-bin, or cgi-shl directories. Anonymous FTP users must not have access to these directories. If the CGI, the cgi-bin, or the cgi-shl directories can be accessed by any group that does not require access, this is a finding.
If the CGI, the cgi-bin, or the cgi-shl directories can be accessed via FTP by any group or user that does not require access, remove permissions to such directories for all but the web administrators and the SAs. Ensure that any such access employs an encrypted connection.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptInterpreterSource For any enabled ScriptInterpreterSource directives the only authorized entries are Registry-Strict or Script. If any other entry (i.e. Registry) is found, this is a finding. For all enabled ScriptInterpreterSource directives set to Registry-Strict: open regedit then Navigate to the following location: HKEY_CLASSES_ROOT\.pl\Shell\ExecCGI\Command\(Default) => C:\Perl\bin\perl.exe –T (This entry should specify the location of the Perl.exe file). If this entry is not found, this is a finding. For all enabled ScriptInterpreterSource directive set to Script: Search the system for all files ending with “.pl”. Open all files found with a text editor and ensure the following entry is found - #![Drive Letter]:/[Path to Perl install directory]/bin/perl.exe –T. If this entry is not found, this is a finding. NOTE: This applies to PERL scripts that are used as part of the web server and not all PERL scripts that are on the system. NOTE: If the mod_perl module is installed, and the directive “PerlTaintCheck on” is entered in the httpd.conf, this satisfies the requirement.
Adjust the PERL scripts or the registry to include the appropriate comments.
Verify that installation directories for Apache HTTP server are located on another partition, other than the OS partition. Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: DocumentRoot, ErrorLog, CustomLog Note the location specified for each of the directives. If the path for any of the directives is on the same partition as the web server operating system files, this is a finding.
Move the web server system files including the web document root (home) and log directories to a separate partition, other than the OS partition.
The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. If a banner is required, the following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” OR If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: "I've read & consent to terms in IS user agreem't." NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. If the access-controlled website does not display this banner page before entry, this is a finding.
Configure a DoD private website to display the required DoD banner page when authentication is required for user access.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: SSLVerifyClient If SSLVerifyClient is not set to “require” this is a finding as the client is not required to present a valid certificate.
Set the SSLVerifyClient directive to "require".
Query the SA to determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding.
Use only secure encrypted logons and connections for uploading files to the web site.
To verify the log settings: Default Windows location: :\Program Files\Apache Group\Apache2\logs\access.log or :\Program Files\Apache Software Foundation\Apache2.2\logs\access.log. If these directories do not exist, you can search the web server for the httpd.conf config file to determine the location of the logs. Items to be logged are as shown in this sample line in the httpd.conf file: LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" " combined If the web server is not configured to capture the required audit events for all sites and virtual directories, this is a finding.
Configure the web server to ensure the log file data includes the required data elements.
Determine permissions for log files Find the httpd.conf configuration file to determine the location of the log files. The location is indicated at the "ServerRoot" directive. The log directory is a sub-directory under the ServerRoot. ex. :\Apache Group\Apache2\logs or :\Apache Software Foundation\Apache2.2\logs After locating the logs, use the Explorer to move to these files and examine their properties: Properties >> Security >> Permissions. Administrators: Read Auditors: Full Control Web Managers: Read WebServer Account: Read/Write/Execute If anyone other than the Auditors, Administrators, Web Managers, or the account that runs the web server has access to the log files, this is a finding.
To ensure the integrity of the data that is being captured in the log files, ensure that only the members of the Auditors group, Administrators, and the user assigned to run the web server software is granted permissions to read the log files.
Open the httpd.conf file. Search for an uncommented LoadModule ssl_module directive statement. If this statement is found commented (i.e. disabled), this is a finding. Search the httpd.conf file for the following uncommented directives: SSLProtocol & SSLEngine For all enabled SSLProtocol directives ensure they are set to “TLSv1”. If the SSLProtocol directive is not set to TLSv1, this is a finding. For all enabled SSLEngine directives ensure they are set to “on”. Both the SSLProtocol and SSLEngine directives must be set correctly or this is a finding NOTE: In some cases web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the web sites may be installed on the content switch versus the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.
Edit the httpd.conf file to load the ssl_module; set the SSLProtocol to TLSv1; and set the SSLEngine to On.
Review the web site to determine if HTTP and HTTPs are used in accordance with well known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. If not, this is a finding.
Ensure the web site enforces the use of IANA well-known ports for HTTP and HTTPS.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: ErrorLog This directive specifies the name and location of the error log, if not found, this is a finding. Note: This check is applicable to every host and virtual host the web server is supporting.
Edit the httpd.conf file and enter the name and path to the ErrorLog.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: LogFormat The minimum items to be logged are as shown in the sample below: LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\"" combined Verify the information following the LogFormat directive meets or exceeds the minimum requirement above. If any LogFormat directive does not meet this requirement, this is a finding.
Edit the configuration file/s and add LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\"" combined
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: CustomLog If any enabled CustomLog are not set to logs/access_log combined, this is a finding. Note: This check is applicable to every host and virtual host the web server is supporting.
Edit the httpd.conf file and enter the name, path and level for the CustomLog.
Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: LogLevel All enabled LogLevel directives should be set to a minimum of “warn”, if not, this is a finding. Note: If LogLevel is set to error, crit, alert, or emerg which are higher thresholds this is not a finding.
Edit the httpd.conf file and add the value LogLevel warn.