DISA STIG Apache Server 2.2 Windows v1r13

Audit Details

Name: DISA STIG Apache Server 2.2 Windows v1r13

Updated: 6/17/2024

Authority: DISA STIG

Plugin: Windows

Revision: 1.10

Estimated Item Count: 73

File Details

Filename: DISA_STIG_Apache_Server-2.2_Windows_v1r13.audit

Size: 142 kB

MD5: 8688f2729008094411020ce1e4f1af56
SHA256: aac15c023033241119f7e2cf1ece8733e5f000ba1648bd948b9030235ba86303

Audit Items

DescriptionCategories
DISA_STIG_Apache_Server-2.2_Windows_v1r13.audit from DISA APACHE 2.2 Server for Windows v1r13 STIG
WA000-WWA020 W22 - The Timeout directive must be properly set.

SYSTEM AND COMMUNICATIONS PROTECTION

WA000-WWA022 W22 - The KeepAlive directive must be enabled.

SYSTEM AND COMMUNICATIONS PROTECTION

WA000-WWA024 W22 - The KeepAliveTimeout directive must be defined.

SYSTEM AND COMMUNICATIONS PROTECTION

WA000-WWA050 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. - '-ExecCGI'

CONFIGURATION MANAGEMENT

WA000-WWA050 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. - 'AddHandler'

CONFIGURATION MANAGEMENT

WA000-WWA050 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. - 'SetHandler'

CONFIGURATION MANAGEMENT

WA000-WWA052 W22 - The FollowSymLinks setting must be disabled.

CONFIGURATION MANAGEMENT

WA000-WWA054 W22 - Server side includes (SSIs) must run with execution capability disabled.

CONFIGURATION MANAGEMENT

WA000-WWA056 W22 - The MultiViews directive must be disabled.

CONFIGURATION MANAGEMENT

WA000-WWA058 W22 - Directory indexing must be disabled on directories not containing index files.

CONFIGURATION MANAGEMENT

WA000-WWA060 W22 - The HTTP request message body size must be limited.

CONFIGURATION MANAGEMENT

WA000-WWA062 W22 - The HTTP request header fields must be limited.

CONFIGURATION MANAGEMENT

WA000-WWA064 W22 - The HTTP request header field size must be limited.

CONFIGURATION MANAGEMENT

WA000-WWA066 W22 - The HTTP request line must be limited.

CONFIGURATION MANAGEMENT

WA060 W22 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
WA070 W22 - A private web server must be located on a separate controlled access subnet.
WA120 W22 - Administrative users and groups that have access rights to the web server must be documented.
WA140 W22 - Web server content and configuration files must be part of a routine backup program.
WA155 W22 - Classified web servers will be afforded physical security commensurate with the classification of its content.
WA230 W22 - The site software used with the web server must have all applicable security patches applied and documented.
WA00500 W22 - Active software modules must be minimized.

CONFIGURATION MANAGEMENT

WA00505 W22 - Web Distributed Authoring and Versioning (WebDAV) must be disabled.

CONFIGURATION MANAGEMENT

WA00510 W22 - Web server status module must be disabled.

ACCESS CONTROL

WA00515 W22 - Automatic directory indexing must be disabled.

CONFIGURATION MANAGEMENT

WA00520 W22 - The web server must not be configured as a proxy server.

CONFIGURATION MANAGEMENT

WA00525 W22 - User specific directories must not be globally enabled.

CONFIGURATION MANAGEMENT

WA00530 W22 - The process ID (PID) file must be properly secured.
WA00535 W22 - The ScoreBoard file must be properly secured.
WA00540 W22 - The web server must be configured to explicitly deny access to the OS root.

CONFIGURATION MANAGEMENT

WA00545 W22 - Web server options for the OS root must be disabled.

CONFIGURATION MANAGEMENT

WA00547 W22 - The ability to override the access configuration for the OS root directory must be disabled.

CONFIGURATION MANAGEMENT

WA00550 W22 - The TRACE method must be disabled.

CONFIGURATION MANAGEMENT

WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - '[::ffff:0.0.0.0]:80'

CONFIGURATION MANAGEMENT

WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - '0.0.0.0:80'

CONFIGURATION MANAGEMENT

WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - 'Listen 80 does not exists'

CONFIGURATION MANAGEMENT

WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - 'Listen directive exists'

CONFIGURATION MANAGEMENT

WA00560 W22 - The URL-path name must be set to the file path name or the directory path name.

CONFIGURATION MANAGEMENT

WA00565 W22 - HTTP request methods must be limited.

CONFIGURATION MANAGEMENT

WG040 W22 - Public web server resources must not be shared with private assets.
WG050 W22 - The web server service password(s) must be entrusted to the SA or Web Manager.
WG060 W22 - The service account used to run the web service must have its password changed at least annually.
WG080 W22 - Installation of a compiler on production web server must be prohibited.
WG130 W22 - All utility programs, not necessary for operations, must be removed or disabled.

CONFIGURATION MANAGEMENT

WG145 W22 - The private web server must use an approved DoD certificate validation process. - 'SSLCARevocationFile'

SYSTEM AND COMMUNICATIONS PROTECTION

WG145 W22 - The private web server must use an approved DoD certificate validation process. - 'SSLCARevocationPath'

SYSTEM AND COMMUNICATIONS PROTECTION

WG190 W22 - The web server must use a vendor-supported version of the web server software.

SYSTEM AND INFORMATION INTEGRITY

WG200 W22 - Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. - 'System32\cmd.exe'
WG200 W22 - Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. - 'System32\command.com'
WG200 W22 - Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. - 'System32\dllcache\cmd.exe'