STIGQter: STIG Summary: APACHE 2.2 Site for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

Web content directories must not be anonymously shared.

DISA Rule

SV-33109r2_rule

Vulnerability Number

V-2226

Group Title

WG210

Rule Version

WG210 W22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Remove the shares from the applicable directories.

Check Contents

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: DocumentRoot & ServerRoot

Note the location following each enabled DocumentRoot and ServerRoot directives.

Navigate to the DocumentRoot, and ServerRoot, using the path identified above. Right click on the directory to be examined. Select Properties > Select the “Sharing” tab. If either folder is shared, this is a finding.

NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the ISSM/ISSO, the shares are restricted to only allow administrators write access, the use of the shares does not bypass the sites approval process for posting new content to the web server, and developers are only permitted read access to these directories.

Vulnerability Number

V-2226

Documentable

False

Rule Version

WG210 W22

Severity Override Guidance

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: DocumentRoot & ServerRoot

Note the location following each enabled DocumentRoot and ServerRoot directives.

Navigate to the DocumentRoot, and ServerRoot, using the path identified above. Right click on the directory to be examined. Select Properties > Select the “Sharing” tab. If either folder is shared, this is a finding.

NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the ISSM/ISSO, the shares are restricted to only allow administrators write access, the use of the shares does not bypass the sites approval process for posting new content to the web server, and developers are only permitted read access to these directories.

Check Content Reference

M

Responsibility

System Administrator

Target Key

161

Comments