4.4 Ensure OverRide Is Disabled for All Directories

Information

The Apache 'AllowOverride' directive allows for '.htaccess' files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an '.htaccess' file (as specified by 'AccessFileName'), it needs to know which directives declared in that file can override earlier access information. When this directive is set to 'None', '.htaccess' files are completely ignored. When this directive is set to 'All', any directive which has the '.htaccess' Context is allowed in '.htaccess' files. Refer to the Apache 2.2 documentation for details [http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride](http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride).

Rationale:

While the functionality of 'htaccess' files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue '.htaccess' file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified; this is why it is wise to keep the configuration of the web server from being placed in '.htaccess' files.

Solution

Perform the following to implement the recommended state:

1. Search the Apache configuration files ('httpd.conf' and any included configuration files) to find 'AllowOverride' directives.
2. Set the value for all 'AllowOverride' directives to 'None'.

. . .
AllowOverride None
. . .

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: Unix

Control ID: 64112df10f268034b4602ebfa288856993c6230f75782b04a2406ac90ef71eb1