Check: AS24-W1-000590
Apache Server 2.4 Windows Server STIG:
AS24-W1-000590
(in versions v2 r3 through v1 r0.1)
Title
The Apache web server must restrict the ability of users to launch denial-of-service (DoS) attacks against other information systems or networks. (Cat II impact)
Discussion
Apache web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Check Content
Review the <'INSTALLED PATH'>\conf\httpd.conf file. Verify the "Timeout" directive is specified in the "httpd.conf" file to have a value of "10" seconds or less. If the "Timeout" directive is not configured or set for more than "10" seconds, this is a finding.
Fix Text
Review the <'INSTALLED PATH'>\conf\httpd.conf file. Add or modify the "Timeout" directive in the Apache configuration to have a value of "10" seconds or less. "Timeout 10" Restart the Apache service.
Additional Identifiers
Rule ID: SV-214338r879650_rule
Vulnerability ID: V-214338
Group Title: SRG-APP-000246-WSR-000149
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001094 |
The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems. |
Controls
Number | Title |
---|---|
SC-5 (1) |
Restrict Internal Users |