Check: AS24-W2-000890
Apache Server 2.4 Windows Site STIG:
AS24-W2-000890
(in versions v2 r1 through v1 r0.1)
Title
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. (Cat I impact)
Discussion
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000015-WSR-000014, SRG-APP-000033-WSR-000169, SRG-APP-000172-WSR-000104, SRG-APP-000179-WSR-000110, SRG-APP-000179-WSR-000111, SRG-APP-000206-WSR-000128, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113
Check Content
In a command line, navigate to "<'INSTALLED PATH'>\bin". Run "httpd -M" to view a list of installed modules. If the module "mod_ssl" is not enabled, this is a finding. Review the <'INSTALLED PATH'>\conf\httpd.conf file to determine if the "SSLProtocol" directive exists and looks like the following: SSLProtocol -ALL +TLSv1.2 If the directive does not exist and does not contain "-ALL +TLSv1.2", this is a finding.
Fix Text
Ensure the "SSLProtocol" is added and looks like the following in the <'INSTALLED PATH'>\conf\httpd.conf file: SSLProtocol -ALL +TLSv1.2 Ensure the "SSLEngine" parameter is set to "ON" inside the "VirtualHost" directive.
Additional Identifiers
Rule ID: SV-214396r395466_rule
Vulnerability ID: V-214396
Group Title: SRG-APP-000014-WSR-000006
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
CCI-001166 |
The information system identifies organization-defined unacceptable mobile code. |
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
CCI-002476 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |
IA-5 (1) |
Password-Based Authentication |
IA-7 |
Cryptographic Module Authentication |
SC-8 |
Transmission Confidentiality And Integrity |
SC-8 (2) |
Pre / Post Transmission Handling |
SC-18 (1) |
Identify Unacceptable Code / Take Corrective Actions |
SC-28 (1) |
Cryptographic Protection |