Check: AS24-W1-000030
Apache Server 2.4 Windows Server STIG:
AS24-W1-000030
(in versions v2 r3 through v1 r4)
Title
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided. (Cat II impact)
Discussion
The Apache web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, and communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are "http" for publicly displayed information, "https" to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000015-WSR-000014, SRG-APP-000033-WSR-000169, SRG-APP-000179-WSR-000110, SRG-APP-000179-WSR-000111, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000154, SRG-APP-000439-WSR-000188, SRG-APP-000442-WSR-000182
Check Content
In a command line, navigate to "<'INSTALLED PATH'>\bin". Run "httpd -M" to view a list of installed modules. If the "ssl_module" is not enabled, this is a finding. Review the <'INSTALL PATH'>\conf\httpd.conf file to determine if the "SSLProtocol" directive exists and looks like the following: SSLProtocol -ALL +TLSv1.2 -SSLv2 -SSLv3 If the directive does not exist or exists but does not contain "ALL +TLSv1.2 -SSLv2 -SSLv3", this is a finding.
Fix Text
Ensure the "ssl_module" is loaded in the httpd.conf file (not commented out). Ensure the "SSLProtocol" is added and looks like the following in the <'INSTALL PATH'>\conf\httpd.conf file: SSLProtocol -ALL +TLSv1.2 Restart the Apache service.
Additional Identifiers
Rule ID: SV-214308r879519_rule
Vulnerability ID: V-214308
Group Title: SRG-APP-000014-WSR-000006
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |
IA-7 |
Cryptographic Module Authentication |
SC-8 |
Transmission Confidentiality And Integrity |
SC-8 (2) |
Pre / Post Transmission Handling |