TickYouOff
Sign in
Back
🔒

Apache Server 2.4 Windows STIG Checklist

Hard 19 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist condenses key tasks from the Apache Server 2.4 Windows STIG to help harden DoD-style web servers running Apache on Windows. It’s for system administrators, web administrators, and security managers who need a compact, actionable assessment and remediation checklist.

Source: https://ncp.nist.gov/checklist/918

Progress
0 / 19
  1. Download official DISA Apache 2.4 Windows STIG package — Get the standalone XCCDF and supporting resources from DISA.
  2. Inventory Apache installation and version — Confirm installed Apache version (2.4.x) and installed modules.
  3. Backup Apache configuration and website content — Export httpd.conf, SSL keys, vhosts, and site files before changes.
  4. Apply Windows OS security updates and patches — Install latest supported security fixes before server hardening.
  5. Harden file and directory permissions for Apache service account — Restrict write access to config and web directories to needed accounts.
  6. Configure Apache to run under a least-privilege user account — Avoid running the service as Administrator or SYSTEM where possible.
  7. Disable unused Apache modules and handlers — Comment out or remove LoadModule lines for unused modules.
  8. Configure directory controls to disable directory listing — Set Options -Indexes and restrict FollowSymLinks where not required.
  9. Enable and enforce TLS with strong protocols and ciphers — Serve sensitive content only over TLS and disable HTTP where possible.
  10. Install a valid server certificate and configure SSL certificate paths — Configure SSLCertificateFile/SSLCertificateKeyFile with valid certs.
  11. Disable TLS 1.0/1.1 and weak ciphers; prefer TLS 1.2+ — Set SSLProtocol and SSLCipherSuite to modern, secure values.
  12. Configure HTTP to HTTPS redirection and HSTS — Redirect HTTP to HTTPS and add Strict-Transport-Security header.
  13. Configure secure HTTP headers (HSTS, X-Frame-Options, CSP) — Add headers to mitigate clickjacking, XSS, and mixed content risks.
  14. Restrict access to management interfaces and admin pages — Limit by IP, VPN, or authentication and remove public exposure.
  15. Enforce authentication and authorization for protected resources — Configure appropriate auth providers and least-privilege access.
  16. Enable and configure access and error logging with rotation — Ensure logs capture client IPs, timestamps, and are rotated securely.
  17. Deploy and configure a web application firewall or mod_security rules — Activate rule sets tailored to your application to block common attacks.
  18. Scan server with the STIG checklist or automated compliance tool and remediate findings — Run the DISA checklist/XCCDF and address identified vulnerabilities.
  19. Document configuration changes and maintain compliance records — Log changes, dates, and responsible personnel for audit and review.
Sign in to save
📝 My Notes