################################################################################
DOCUMENT         : Apache_Server_2-4_Windows_Site_STIG
VERSION          : 001.001.001
CHECKSUM         : 04d78cdbdde57ed57520db61c048d79c522e1ffa6a0faf12bf1ee1c25977f4ac
MANUAL QUESTIONS : 11

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 11
TITLE            : CAT I, V-214373, SV-214373r1138073, SRG-APP-000211-WSR-000031
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1101
RULE             : Anonymous user access to the Apache web server application directories must be prohibited.
QUESTION_TEXT    : Obtain a list of the user accounts for the system, noting the privileges for each account.

Verify with the System Administrator (SA) or the Information System Security Officer (ISSO) that all privileged accounts are mission essential and documented.

Verify with the SA or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented.

If undocumented privileged accounts are present, this is a finding.

If undocumented access to shell scripts or operating system functions is present, this is a finding.

References:
SV-102617
V-92529
CCI-001082
CCI-001813
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 11
TITLE            : CAT II, V-214365, SV-214365r960963, SRG-APP-000141-WSR-000015
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:101
RULE             : The Apache web server must not perform user management for hosted applications.
QUESTION_TEXT    : Interview the System Administrator (SA) about the role of the Apache web server.

If the web server is hosting an application, have the SA provide supporting documentation on how the application's user management is accomplished outside of the web server.

If the web server is not hosting an application, this is Not Applicable.

If the web server is performing user management for hosted applications, this is a finding.

If the web server is hosting an application and the SA cannot provide supporting documentation on how the application's user management is accomplished outside of the Apache web server, this is a finding.

References:
SV-102591
V-92503
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 11
TITLE            : CAT II, V-214367, SV-214367r960963, SRG-APP-000141-WSR-000082
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:301
RULE             : The Apache web server must allow the mappings to unused and vulnerable scripts to be removed.
QUESTION_TEXT    : Locate cgi-bin files and directories enabled in the Apache configuration via "Script", "ScriptAlias" or "ScriptAliasMatch", or "ScriptInterpreterSource" directives.

If any script is present that is not needed for application operation, this is a finding.

References:
SV-102595
V-92507
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 11
TITLE            : CAT II, V-214371, SV-214371r961041, SRG-APP-000176-WSR-000096
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:701
RULE             : Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.
QUESTION_TEXT    : If the Apache web server does not have a private key, this is Not Applicable.

Review the private key path in the "SSLCertificateFile" directive. Verify only authenticated System Administrators and the designated PKI Sponsor for the web server can access the web server private key.

If the private key is accessible by unauthenticated or unauthorized users, this is a finding.

References:
SV-102607
V-92519
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 11
TITLE            : CAT II, V-214372, SV-214372r1138072, SRG-APP-000211-WSR-000030
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:901
RULE             : Apache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
QUESTION_TEXT    : Review the web server documentation and configuration to determine what web server accounts are available on the server.

If any directories or files are owned by anyone other than root, this is a finding.

If non-privileged web server accounts are available with access to functions, directories, or files not needed for the role of the account, this is a finding.

References:
SV-102615
V-92527
CCI-001082
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 11
TITLE            : CAT II, V-214374, SV-214374r1138074, SRG-APP-000211-WSR-000129
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1301
RULE             : The Apache web server must separate the hosted applications from hosted Apache web server management functionality.
QUESTION_TEXT    : Review the web server documentation and deployed configuration to determine whether hosted application functionality is separated from web server management functions.

If the functions are not separated, this is a finding.

References:
SV-102619
V-92531
CCI-001082
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 11
TITLE            : CAT II, V-214376, SV-214376r1043180, SRG-APP-000223-WSR-000011
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1501
RULE             : Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.
QUESTION_TEXT    : Review the <'INSTALLED PATH'>\conf\httpd.conf file.

If "HttpOnly; secure" is not configured, this is a finding.

Review the code. If when creating cookies, the following is not occurring, this is a finding:

function setCookie() { document.cookie = "ALEPH_SESSION_ID = $SESS; path = /; secure"; }

References:
SV-102623
V-92535
CCI-001664
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 11
TITLE            : CAT II, V-214380, SV-214380r961122, SRG-APP-000225-WSR-000074
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1701
RULE             : The Apache web server must augment re-creation to a stable and known baseline.
QUESTION_TEXT    : Interview the System Administrator for the Apache web server.

Ask for documentation on the disaster recovery methods tested and planned for the Apache web server in the event of the necessity for rollback.

If documentation for a disaster recovery has not been established, this is a finding.

References:
SV-102633
V-92545
CCI-001190
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 11
TITLE            : CAT II, V-214382, SV-214382r961131, SRG-APP-000233-WSR-000146
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1901
RULE             : The Apache web server document directory must be in a separate partition from the Apache web servers system files.
QUESTION_TEXT    : Determine whether the public web server has a two-way trusted relationship with any private asset located within the network. Private web server resources (e.g., drives, folders, printers, etc.) will not be directly mapped to or shared with public web servers.

If sharing is selected for any web folder, this is a finding.

If private resources (e.g., drives, partitions, folders/directories, printers, etc.) are shared with the public web server, this is a finding.

References:
SV-102637
V-92549
CCI-001084
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 11
TITLE            : CAT II, V-214388, SV-214388r961278, SRG-APP-000315-WSR-000004
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:2301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:2301
RULE             : The Apache web server must restrict inbound connections from nonsecure zones.
QUESTION_TEXT    : Review the <'INSTALLED PATH'>\conf\httpd.conf file.

If "IP Address Restrictions" are not configured or IP ranges configured to be "Allow" are not restrictive enough to prevent connections from nonsecure zones, this is a finding.

References:
SV-102653
V-92565
CCI-002314
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 11
TITLE            : CAT II, V-214389, SV-214389r961353, SRG-APP-000340-WSR-000029
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:2501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:2501
RULE             : Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.
QUESTION_TEXT    : Determine which tool or control file is used to control the configuration of the web server.

If the control of the web server is done via control files, verify who has update access to them. If tools are being used to configure the web server, determine who has access to execute the tools.

If accounts other than the System Administrator (SA), the Web Manager, or the Web Manager designees have access to the web administration tool or control files, this is a finding.

References:
SV-102655
V-92567
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

