STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Apache Server 2.4 Windows Site Security Technical Implementation Guide

Version

V2R3

Benchmark ID

Apache_Server_2-4_Windows_Site_STIG

Total Checks

16

Tags

windowsweb

CAT I: 1CAT II: 15CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (16)

V-214365MEDIUMThe Apache web server must not perform user management for hosted applications.V-214367MEDIUMThe Apache web server must allow the mappings to unused and vulnerable scripts to be removed.V-214368MEDIUMUsers and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.V-214371MEDIUMOnly authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.V-214372MEDIUMApache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.V-214373HIGHAnonymous user access to the Apache web server application directories must be prohibited.V-214374MEDIUMThe Apache web server must separate the hosted applications from hosted Apache web server management functionality.V-214376MEDIUMCookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.V-214380MEDIUMThe Apache web server must augment re-creation to a stable and known baseline.V-214382MEDIUMThe Apache web server document directory must be in a separate partition from the Apache web servers system files.V-214383MEDIUMThe Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.V-214388MEDIUMThe Apache web server must restrict inbound connections from nonsecure zones.V-214389MEDIUMNon-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.V-214390MEDIUMThe Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.V-214394MEDIUMCookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.V-214395MEDIUMCookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.