STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

HTTP request methods must be limited.

DISA Rule

SV-33238r2_rule

Vulnerability Number

V-26396

Group Title

WA00565

Rule Version

WA00565 W22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Add the following to all enabled Directory directives except root:

Order allow,deny
<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>

Check Contents

Note: If HTTP commands (GET, PUT, POST, DELETE) are not being used and the server is solely configured as a proxy server, this is Not Applicable.
Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory

For every enabled Directory directive (except root), ensure the following entry exists:

Order allow,deny

<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>

If the statement above is found in the root directory statement (i.e. <Directory />), this is a finding. If the statement above is found enabled but without the appropriate LimitExcept or Order statement, this is a finding. If the statement is not found at all inside an enabled Directory directive, this is a finding.

Note: If the LimitExcept statement above is operationally limiting. This should be explicitly documented with the Web Manager, at which point this can be considered not a finding.

Vulnerability Number

V-26396

Documentable

False

Rule Version

WA00565 W22

Severity Override Guidance

Note: If HTTP commands (GET, PUT, POST, DELETE) are not being used and the server is solely configured as a proxy server, this is Not Applicable.
Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory

For every enabled Directory directive (except root), ensure the following entry exists:

Order allow,deny

<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>

If the statement above is found in the root directory statement (i.e. <Directory />), this is a finding. If the statement above is found enabled but without the appropriate LimitExcept or Order statement, this is a finding. If the statement is not found at all inside an enabled Directory directive, this is a finding.

Note: If the LimitExcept statement above is operationally limiting. This should be explicitly documented with the Web Manager, at which point this can be considered not a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments