Apache Server 2.4 Windows Server STIG Version Comparison

There are 1 differences between versions v2 r3 (Jan. 26, 2023) (the "left" version) and v3 r2 (Jan. 30, 2025) (the "right" version).

Check AS24-W1-000260 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Apache web server must not be a proxy server.

Check Content

In If the server has been approved to be a command line, CD to proxy server, this requirement is Not Applicable. Open the "<'INSTALLED <'INSTALL PATH'>\conf\httpd.conf file with PATH'>\bin". Run "httpd -M" to view a list of installed modules. If any an of editor and search for the following modules are present, directive: ProxyRequests If the ProxyRequests directive is set to "On", this is a finding: proxy_module proxy_ajp_module proxy_balancer_module proxy_ftp_module proxy_http_module proxy_connect_module finding.

Discussion

A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use multiuse servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack, making the attack anonymous.

Fix

Edit Open the <'INSTALL PATH'>\conf\httpd.conf file with an editor and remove search for the following modules: proxy_module proxy_ajp_module proxy_balancer_module proxy_ftp_module proxy_http_module proxy_connect_module directive: ProxyRequests Set the directive to a value of "off". Restart the Apache service.