| DISA_STIG_Apache_Server-2.2_Windows_v1r13.audit from DISA APACHE 2.2 Server for Windows v1r13 STIG | |
| WA000-WWA020 W22 - The Timeout directive must be properly set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WWA022 W22 - The KeepAlive directive must be enabled. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WWA024 W22 - The KeepAliveTimeout directive must be defined. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WWA050 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. - '-ExecCGI' | CONFIGURATION MANAGEMENT |
| WA000-WWA050 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. - 'AddHandler' | CONFIGURATION MANAGEMENT |
| WA000-WWA050 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. - 'SetHandler' | CONFIGURATION MANAGEMENT |
| WA000-WWA052 W22 - The FollowSymLinks setting must be disabled. | CONFIGURATION MANAGEMENT |
| WA000-WWA054 W22 - Server side includes (SSIs) must run with execution capability disabled. | CONFIGURATION MANAGEMENT |
| WA000-WWA056 W22 - The MultiViews directive must be disabled. | CONFIGURATION MANAGEMENT |
| WA000-WWA058 W22 - Directory indexing must be disabled on directories not containing index files. | CONFIGURATION MANAGEMENT |
| WA000-WWA060 W22 - The HTTP request message body size must be limited. | CONFIGURATION MANAGEMENT |
| WA000-WWA062 W22 - The HTTP request header fields must be limited. | CONFIGURATION MANAGEMENT |
| WA000-WWA064 W22 - The HTTP request header field size must be limited. | CONFIGURATION MANAGEMENT |
| WA000-WWA066 W22 - The HTTP request line must be limited. | CONFIGURATION MANAGEMENT |
| WA060 W22 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. | |
| WA070 W22 - A private web server must be located on a separate controlled access subnet. | |
| WA120 W22 - Administrative users and groups that have access rights to the web server must be documented. | |
| WA140 W22 - Web server content and configuration files must be part of a routine backup program. | |
| WA155 W22 - Classified web servers will be afforded physical security commensurate with the classification of its content. | |
| WA230 W22 - The site software used with the web server must have all applicable security patches applied and documented. | |
| WA00500 W22 - Active software modules must be minimized. | CONFIGURATION MANAGEMENT |
| WA00505 W22 - Web Distributed Authoring and Versioning (WebDAV) must be disabled. | CONFIGURATION MANAGEMENT |
| WA00510 W22 - Web server status module must be disabled. | ACCESS CONTROL |
| WA00515 W22 - Automatic directory indexing must be disabled. | CONFIGURATION MANAGEMENT |
| WA00520 W22 - The web server must not be configured as a proxy server. | CONFIGURATION MANAGEMENT |
| WA00525 W22 - User specific directories must not be globally enabled. | CONFIGURATION MANAGEMENT |
| WA00530 W22 - The process ID (PID) file must be properly secured. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WA00535 W22 - The ScoreBoard file must be properly secured. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WA00540 W22 - The web server must be configured to explicitly deny access to the OS root. | CONFIGURATION MANAGEMENT |
| WA00545 W22 - Web server options for the OS root must be disabled. | CONFIGURATION MANAGEMENT |
| WA00547 W22 - The ability to override the access configuration for the OS root directory must be disabled. | CONFIGURATION MANAGEMENT |
| WA00550 W22 - The TRACE method must be disabled. | CONFIGURATION MANAGEMENT |
| WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - '[::ffff:0.0.0.0]:80' | CONFIGURATION MANAGEMENT |
| WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - '0.0.0.0:80' | CONFIGURATION MANAGEMENT |
| WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - 'Listen 80 does not exists' | CONFIGURATION MANAGEMENT |
| WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - 'Listen directive exists' | CONFIGURATION MANAGEMENT |
| WA00560 W22 - The URL-path name must be set to the file path name or the directory path name. | CONFIGURATION MANAGEMENT |
| WA00565 W22 - HTTP request methods must be limited. | CONFIGURATION MANAGEMENT |
| WG040 W22 - Public web server resources must not be shared with private assets. | |
| WG050 W22 - The web server service password(s) must be entrusted to the SA or Web Manager. | |
| WG060 W22 - The service account used to run the web service must have its password changed at least annually. | |
| WG080 W22 - Installation of a compiler on production web server must be prohibited. | |
| WG130 W22 - All utility programs, not necessary for operations, must be removed or disabled. | CONFIGURATION MANAGEMENT |
| WG145 W22 - The private web server must use an approved DoD certificate validation process. - 'SSLCARevocationFile' | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG145 W22 - The private web server must use an approved DoD certificate validation process. - 'SSLCARevocationPath' | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG190 W22 - The web server must use a vendor-supported version of the web server software. | SYSTEM AND INFORMATION INTEGRITY |
| WG200 W22 - Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. - 'System32\cmd.exe' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WG200 W22 - Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. - 'System32\command.com' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WG200 W22 - Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. - 'System32\dllcache\cmd.exe' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
