STIGQter: STIG Summary: APACHE 2.2 Site for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

The web client account access to the content and scripts directories must be limited to read and execute.

DISA Rule

SV-33136r1_rule

Vulnerability Number

V-2258

Group Title

WG290

Rule Version

WG290 W22

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Assign the appropriate permissions to the applicable directories and files.

Check Contents

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: DocumentRoot, Alias, ScriptAlias, & ScriptAliasMatch

Navigate to the locations specified after each enabled DocumentRoot, Alias, ScriptAlias, & ScriptAliasMatch directives.
Right click on the file or directory to be examined. Select Properties. Select the “Security” tab. The only accounts listed should be the web administrator, developers, and the account assigned to run the apache server service.
If accounts that do not need access to these directories are listed, this is a finding.
If the permissions assigned to the Apache web server service are greater than Read for locations associated with the DocumentRoot and Alias directives, this is a finding. If the permissions assigned to the Apache web server service are greater than Read & Execute for locations associated with ScriptAlias and ScriptAliasMatch, this is a finding.

Vulnerability Number

V-2258

Documentable

False

Rule Version

WG290 W22

Severity Override Guidance

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: DocumentRoot, Alias, ScriptAlias, & ScriptAliasMatch

Navigate to the locations specified after each enabled DocumentRoot, Alias, ScriptAlias, & ScriptAliasMatch directives.
Right click on the file or directory to be examined. Select Properties. Select the “Security” tab. The only accounts listed should be the web administrator, developers, and the account assigned to run the apache server service.
If accounts that do not need access to these directories are listed, this is a finding.
If the permissions assigned to the Apache web server service are greater than Read for locations associated with the DocumentRoot and Alias directives, this is a finding. If the permissions assigned to the Apache web server service are greater than Read & Execute for locations associated with ScriptAlias and ScriptAliasMatch, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

161

Comments