STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

DISA Rule

SV-33084r1_rule

Vulnerability Number

V-13620

Group Title

WG355

Rule Version

WG355 W22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the web server’s trust store to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).

Check Contents

The reviewer will need to have the SA or Web Manager show the list of CA’s the server is trusting to authenticate users.

NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function.

The location for the conf file that controls the SSL parameters may vary from installation, so the following is just an example of a default httpd-ssl.conf file.

Open httpd-ssl.conf and search for the following directive:

SSLCACertificateFile

This directive will point to the file that contains the certificates that are used to identify the CAs that are used for client authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. Examine the contents of this file to determine if the trusted CAs are DoD approved.

DoD approved can include the External Certificate Authorities (ECA), if approved by the DAA. The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs. If the trusted CAs that are used to authenticate users to the web site does not lead to an approved DoD CA, this is a finding.

Vulnerability Number

V-13620

Documentable

False

Rule Version

WG355 W22

Severity Override Guidance

The reviewer will need to have the SA or Web Manager show the list of CA’s the server is trusting to authenticate users.

NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function.

The location for the conf file that controls the SSL parameters may vary from installation, so the following is just an example of a default httpd-ssl.conf file.

Open httpd-ssl.conf and search for the following directive:

SSLCACertificateFile

This directive will point to the file that contains the certificates that are used to identify the CAs that are used for client authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. Examine the contents of this file to determine if the trusted CAs are DoD approved.

DoD approved can include the External Certificate Authorities (ECA), if approved by the DAA. The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs. If the trusted CAs that are used to authenticate users to the web site does not lead to an approved DoD CA, this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

158

Comments