Checklist Summary:

The Apache 2.0 & 2.2 Web Server Security Technical Implementation Guides (STIG) is a published document that can be used to improve the security posture of a Department of Defense (DoD) web server and its associated web sites. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Application Security and Development, and other appropriate operating system (OS) STIGs. Guidance for deployment of web servers within the DoD intranet and the Demilitarized Zone (DMZ) will be governed by the appropriate Network Infrastructure STIG provided by the Defense Information Systems Agency. The web server must be configured to protect classified, unclassified, and/or restricted data such as Personally Identifiable Information (PII), as well as data approved for public release. Immediate risks inherent to this role are external attacks and accidental exposure. Although security controls and infrastructure devices (such as firewalls, intrusion detection systems, and baseline integrity checking tools) offer some defense against malicious activity, security for web servers is best achieved through implementing a comprehensive defense-in-depth strategy. This strategy should include, but is not limited to, server configuration to prevent system compromise; operational procedures for posting data to avoid accidental exposure; proper placement of the server within the network infrastructure; and the allowance or denial of Ports, Protocols, and Services (PPS) used to access the web server. This document is a requirement for all DoD-owned information systems and DoD-controlled information systems operated by a contractor and/or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification and/or sensitivity. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), IAOs, and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD information system design, development, implementation, certification and accreditation efforts, but is restricted to policies and configurations specific to web servers and sites. Guidance for the configuration of OSs will be governed by the specific OS STIG provided by DISA. Guidance for use and configuration of technologies, such as mobile code and Common Gateway Interface (CGI) scripts, utilized by hosted applications will be governed by sources such as the Application and Security Development STIG, and guidance on mobile code will be provided by DISA. Enclave requirements will be governed by the Enclave STIG provided by DISA. All STIGs are available on the Information Assurance Support Environment (IASE) web site: http://iase.disa.mil/. This STIG is scoped to support the following Web Server configuration: Apache 2.0 & 2.2 on Microsoft's Windows Server 2003 & 2008

Checklist Role:

• Web Server

Known Issues:

Not provided.

Target Audience:

This document is a requirement for all DoD-owned information systems and DoD-controlled information systems operated by a contractor and/or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification and/or sensitivity. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), IAOs, and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD information system design, development, implementation, certification and accreditation efforts, but is restricted to policies and configurations specific to web servers and sites. The roles of the SA and the web administrator or web master are generally understood but, sometimes, these terms are used interchangeably. The SA is responsible for the OS, while the web administrator or web master usually manages the web site or sites. In some cases, the SA is also the web administrator/web master which is why guidance tends to be written in a certain fashion. The application development group should refer to the organization that actually wrote the web application that is hosted on a web site for further guidance, where applicable.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

This STIG is scoped to support the following Web Server configuration: Apache 2.0 & 2.2 on Microsoft's Windows Server 2003 & 2008

Regulatory Compliance:

DoD Directive 8500.1, DoD Directive 8500.2

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Point of Contact:

DISA Field Security Operations (FSO) disa.stig_spt@mail.mil

Sponsor:

Developed by DISA for the DoD

Licensing:

Not provided.

Change History:

Changed status from "under review" to "final" - 31 August 2015
Version 1, Release 7 - 30 July 2015
Version 1, Release 4 - 24 April 2014
Version 1, Release 3 - 24 January 2014
Version 1, Release 2 - 10 May 2013
Version 1, Release 2 - 26 April 2013
Version 1, Release 1 - 23 November 2011
Version 1, Release 5 - 30 October 2014
Updated status to "Final" - 07 January 2015
Updated "Point of Contact", "Product Support" and "Comments" Sectons - 07 January 2015
Version 1, Release 6 - 23 January 2015
Version 1, Release 8 - 26 October 2015
Changed status from "Under Review" to "Final" - 03 December 2015
Updated STIG to V1, R9
updated to FINAL - 12/07/2016
Updated to v1, r10 - 01/27/2017
Updated to FINAL - 03/08/2017
null
Updated to v1, r11 - 07/31/2017
Updated URL to reflect change to the DISA website - http --> https
Moved to FINAL - 08/29/2017
null
Updated - 11/01/2017
Updated to FINAL - 11/27/2017
updated to Ver 1, Rel 13 - 1/22/19
Updated to FINAL - 2/19/19
Updated URLs - 6/4/19

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 06/05/2019