STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

APACHE 2.2 Server for Windows Security Technical Implementation Guide

Version

V1R13

Benchmark ID

APACHE_SERVER_2.2_WINDOWS

Total Checks

56

Tags

windowsweb
CAT I: 5CAT II: 46CAT III: 5

All directives specified in this STIG must be specifically set (i.e. the server is not allowed to revert to programmed defaults for these directives). Included files should be reviewed if they are used. Procedures for reviewing included files are included in the overview document. The use of .htaccess files are not authorized for use according to the STIG. However, if they are used, there are procedures for reviewing them in the overview document. The Web Policy STIG should be used in addition to the Apache Site and Server STIGs in order to do a comprehensive web server review.

Export CKLExport CSVExport JSON

Checks (56)

V-13591HIGHClassified web servers will be afforded physical security commensurate with the classification of its content.V-13613MEDIUMThe site software used with the web server must have all applicable security patches applied and documented.V-13619MEDIUMThe web server, although started by superuser or privileged account, must run using a non-privileged account.V-13620MEDIUMA private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.V-13621HIGHAll web server documentation, sample code, example applications, and tutorials must be removed from a production web server.V-13672MEDIUMThe private web server must use an approved DoD certificate validation process.V-13687MEDIUMRemote authors or content providers must have all files scanned for malware before uploading files to the Document Root directory.V-13724MEDIUMThe Timeout directive must be properly set.V-13725MEDIUMThe KeepAlive directive must be enabled.V-13726MEDIUMThe KeepAliveTimeout directive must be defined.V-13731MEDIUMAll interactive programs must be placed in a designated directory with appropriate permissions.V-13732MEDIUMThe FollowSymLinks setting must be disabled.V-13733HIGHServer side includes (SSIs) must run with execution capability disabled.V-13734MEDIUMThe MultiViews directive must be disabled.V-13735MEDIUMDirectory indexing must be disabled on directories not containing index files.V-13736MEDIUMThe HTTP request message body size must be limited.V-13737MEDIUMThe HTTP request header fields must be limited.V-13738MEDIUMThe HTTP request header field size must be limited.V-13739MEDIUMThe HTTP request line must be limited.V-2230LOWBackup interactive scripts on the production web server must be prohibited.V-2232MEDIUMThe web server service password(s) must be entrusted to the SA or Web Manager.V-2234MEDIUMPublic web server resources must not be shared with private assets.V-2235MEDIUMThe service account used to run the web service must have its password changed at least annually.V-2236MEDIUMInstallation of a compiler on production web server must be prohibited.V-2242MEDIUMA public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.V-2243MEDIUMA private web server must be located on a separate controlled access subnet.V-2246HIGHThe web server must use a vendor-supported version of the web server software.V-2247HIGHAdministrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities.V-2248MEDIUMWeb administration tools must be restricted to the web manager and the web manager’s designees.V-2251LOWAll utility programs, not necessary for operations, must be removed or disabled.V-2255MEDIUMThe web server’s htpasswd files (if present) must reflect proper ownership and permissions.V-2256MEDIUMThe access control files are owned by a privileged web server account.V-2257LOWAdministrative users and groups that have access rights to the web server must be documented.V-2259MEDIUMWeb server system files must conform to minimum file permission requirements.V-2261MEDIUMA public web server must limit e-mail to outbound only.V-2264MEDIUMWscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator.V-2271MEDIUMMonitoring software must include CGI or equivalent programs in its scope.V-26285MEDIUMActive software modules must be minimized.V-26287MEDIUMWeb Distributed Authoring and Versioning (WebDAV) must be disabled.V-26294MEDIUMWeb server status module must be disabled.V-26299MEDIUMThe web server must not be configured as a proxy server.V-26302MEDIUMUser specific directories must not be globally enabled.V-26305MEDIUMThe process ID (PID) file must be properly secured.V-26322MEDIUMThe ScoreBoard file must be properly secured.V-26323MEDIUMThe web server must be configured to explicitly deny access to the OS root.V-26324MEDIUMWeb server options for the OS root must be disabled.V-26325MEDIUMThe TRACE method must be disabled.V-26326MEDIUMThe web server must be configured to listen on a specific IP address and port.V-26327MEDIUMThe URL-path name must be set to the file path name or the directory path name.V-26368MEDIUMAutomatic directory indexing must be disabled.V-26393MEDIUMThe ability to override the access configuration for the OS root directory must be disabled.V-26396MEDIUMHTTP request methods must be limited.V-60709MEDIUMThe web server must remove all export ciphers from the cipher suite.V-6485LOWWeb server content and configuration files must be part of a routine backup program.V-6577MEDIUMA web server installation must be segregated from other services.V-6724LOWWeb server and/or operating system information must be protected.