Limit access to the manager application to only those with a justified need. Rationale: Limiting access to the least privilege will ensure only those people with a justified need will have access to a resource. The manager application should be limited to only administrators. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
For the manager application, edit $CATALINA_BASE/conf/<enginename>/<hostname>/manager.xml, and add the bolded line: <Context path='/manager' docBase='${catalina.home}/webapps/manager' debug='0' privileged='true'><Valve className='org.apache.catalina.valves.RemoteAddrValve' allow='127.0.0.1'/></Context> Add hosts, comma separated, which are allowed to access the admin application. Note: The RemoteAddrValve property expects a regular expression, therefore periods and other regular expression meta-characters must be escaped. Default Value: By default this setting is not present