UCF STIG Viewer Logo

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.


Finding ID Version Rule ID IA Controls Severity
V-92367 AS24-W1-000230 SV-102455r1_rule Medium
In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on a functional production website entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and logon schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable. The web server must enforce, internally or through an external utility, the signing of modules before they are implemented into a production environment. By signing modules, the author guarantees that the module has been reviewed and tested before production implementation.
Apache Server 2.4 Windows Server Security Technical Implementation Guide 2019-09-30


Check Text ( C-91663r1_chk )
Open the <'INSTALL PATH'>\conf\httpd.conf file.

Review the list of loaded modules.

If any of the loaded modules are unsigned, this is a finding.
Fix Text (F-98605r1_fix)
Remove any unsigned modules.