| AS24-W2-000010 - The Apache web server must limit the number of allowed simultaneous session requests. | ACCESS CONTROL |
| AS24-W2-000020 - The Apache web server must perform server-side session management. | ACCESS CONTROL |
| AS24-W2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred. | AUDIT AND ACCOUNTABILITY |
| AS24-W2-000240 - The Apache web server must not perform user management for hosted applications. | CONFIGURATION MANAGEMENT |
| AS24-W2-000300 - The Apache web server must have resource mappings set to disable the serving of certain file types. | CONFIGURATION MANAGEMENT |
| AS24-W2-000310 - The Apache web server must allow the mappings to unused and vulnerable scripts to be removed. | CONFIGURATION MANAGEMENT |
| AS24-W2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. | CONFIGURATION MANAGEMENT |
| AS24-W2-000360 - The Apache web server must be configured to use a specified IP address and port - IP or Port Only | CONFIGURATION MANAGEMENT |
| AS24-W2-000360 - The Apache web server must be configured to use a specified IP address and port - Zero IPs Only | CONFIGURATION MANAGEMENT |
| AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClient | IDENTIFICATION AND AUTHENTICATION |
| AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepth | IDENTIFICATION AND AUTHENTICATION |
| AS24-W2-000390 - Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key. | IDENTIFICATION AND AUTHENTICATION |
| AS24-W2-000430 - Apache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000440 - Anonymous user access to the Apache web server application directories must be prohibited. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000450 - The Apache web server must separate the hosted applications from hosted Apache web server management functionality. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Header HttpOnly Secure | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Javascript setCookie | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000480 - The Apache web server must accept only system-generated session identifiers. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000500 - The Apache web server must generate unique session identifiers that cannot be reliably reproduced. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000520 - The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000540 - The Apache web server must augment re-creation to a stable and known baseline. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000560 - The Apache web server must be configured to provide clustering - mod_proxy | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000560 - The Apache web server must be configured to provide clustering - ProxyPass | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000580 - The Apache web server document directory must be in a separate partition from the Apache web servers system files. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000610 - The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. | SYSTEM AND INFORMATION INTEGRITY |
| AS24-W2-000620 - Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths. | SYSTEM AND INFORMATION INTEGRITY |
| AS24-W2-000630 - Debugging and trace information used to diagnose the Apache web server must be disabled. | SYSTEM AND INFORMATION INTEGRITY |
| AS24-W2-000640 - The Apache web server must set an absolute timeout for sessions. | ACCESS CONTROL |
| AS24-W2-000650 - The Apache web server must set an inactive timeout for completing the TLS handshake - mod_reqtimeout | ACCESS CONTROL |
| AS24-W2-000650 - The Apache web server must set an inactive timeout for completing the TLS handshake - RequestReadTimeout | ACCESS CONTROL |
| AS24-W2-000670 - The Apache web server must restrict inbound connections from nonsecure zones. | ACCESS CONTROL |
| AS24-W2-000690 - Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. | ACCESS CONTROL |
| AS24-W2-000780 - The Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services. | CONFIGURATION MANAGEMENT |
| AS24-W2-000800 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000830 - The Apache web server must be tuned to handle the operational requirements of the hosted application. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000860 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000870 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data - Session On | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000870 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data - session_cookie_module | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000870 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data - SessionCookieName | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000880 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies - mod_session_crypto | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000880 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies - Session On | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000880 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies - SessionCookieName | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000880 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies - SessionCryptoPassphrase | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000890 - An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version - SSLEngine | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000890 - An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version - SSLProtocol | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000950 - The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | CONFIGURATION MANAGEMENT |
| DISA_STIG_Apache_Site-2.4_Windows_v2r1.audit from DISA APACHE 2.4 Site for Windows v2r1 STIG | |
