| Author |  | 
| James Blond Moderator
 
  
 Joined: 19 Jan 2006
 Posts: 7442
 Location: EU, Germany, Next to Hamburg
 
 | 
|  Posted: Thu 02 Aug '07 11:51    Post subject: Some ways to secure apache web server under Windows |   |  
| 
 |  
| install the lastet version In older versions are bugs which could be used from attackers.
 
 
 Hide the Apache Version number, and other sensitive information
 
 here are two directives that you need to add, or edit in your httpd.conf file:
 
  	  | Code: |  	  | ServerSignature Off
 ServerTokens Prod
 
 | 
 
 The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
 
 The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting
 it to Prod it sets the HTTP response header as follows:
 
 
 
 If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security
 
 Ensure that files outside the web root are not served
 
 We don't want apache to be able to access any files out side of its web root.
 So assuming all your web sites are placed under one directory (we will call this
 C:/apache2/htdocs), you would set it up as follows:
 
 
  	  | Code: |  	  | <Directory />
 Order Deny,Allow
 Deny from all
 Options None
 AllowOverride None
 </Directory>
 <Directory C:/apache2/htdocs>
 Order Allow,Deny
 Allow from all
 </Directory>
 
 | 
 
 Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server.
 You now have to add them explicitly for each directory that requires an Option or Override
 
 Turn off directory browsing
 
 You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes
 
 
 
 Turn off server side includes
 
 This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes
 
 
 
 Turn off CGI execution
 
 If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either [color=green]None or -ExecCGI
 
 
 
 Turning off multiple Options
 
 Now combine all stuff!
 
 shortest
 
 
 
 or
 
 
  	  | Code: |  	  | Options -ExecCGI -Includes -Indexes
 
 | 
 
 
 Turn off support for .htaccess files
 
 This is done in a Directory tag but with the AllowOverride directive. Set it to None.
 
 
 
 Disable any unnecessary modules
 
 Apache typically comes with several modules installed. Go through the apache module documentation and learn
 what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.
 
 Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line.
 
 
 Restricting Access by IP
 If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:
 
 
  	  | Code: |  	  | Order Deny,Allow
 Deny from all
 Allow from 192.18.0.0/16
 
 | 
 
 or by IP
 
 
  	  | Code: |  	  | Order Deny,Allow
 Deny from all
 Allow from 127.0.0.1 192.168
 
 | 
 
 Any comments?
 
 Last edited by James Blond on Thu 06 Sep '07 10:03; edited 1 time in total
 |  | 
| Back to top |  | 
| flyingmonkey 
 
 
 Joined: 01 Aug 2007
 Posts: 15
 
 
 | 
|  Posted: Wed 05 Sep '07 22:13    Post subject: |   |  
| 
 |  
| Great Post! 
 I think there may've been a typo in "Turn off directory browsing" code:
 
 
 seems like it should be:
 
 
 
 Reducing the Timeout may also help prevent DoS attacks.  I believe default is 300.
 
 
  	  | Code: |  	  | # wait up to 60 seconds for slow clients
 TimeOut 60
 
 | 
 
 Do you have any tips on setting up accounts / partitions / etc. for Apache on Windows?  I would like to try and make my installation as secure as possible.  I am relatively a newb to Apache.
 |  | 
| Back to top |  | 
| James Blond Moderator
 
  
 Joined: 19 Jan 2006
 Posts: 7442
 Location: EU, Germany, Next to Hamburg
 
 | 
|  Posted: Thu 06 Sep '07 10:04    Post subject: |   |  
| 
 |  
| Thanks! I corrected that typo   
 The thing with TimeOut is a good hint!
 |  | 
| Back to top |  | 
| flyingmonkey 
 
 
 Joined: 01 Aug 2007
 Posts: 15
 
 
 | 
|  Posted: Thu 06 Sep '07 22:33    Post subject: |   |  
| 
 |  
| No problem, if I am using Apache just as a reverse proxy without hosting anything directly on the server, do I still need the later section? 
 of "Ensure that files outside the web root are not served"
 
 
  	  | Code: |  	  | <Directory C:/apache2/htdocs>
 Order Allow,Deny
 Allow from all
 </Directory>
 
 | 
 
 My assumption is no, since I won't have any files stored.  I just want to double check that I am not opening up a big no-no.
  [/code] |  | 
| Back to top |  | 
| James Blond Moderator
 
  
 Joined: 19 Jan 2006
 Posts: 7442
 Location: EU, Germany, Next to Hamburg
 
 | 
|  Posted: Fri 07 Sep '07 9:49    Post subject: |   |  
| 
 |  
| "Ensure that files outside the web root are not served" is this part. 
 
  	  | Code: |  	  | <Directory />
 Order Deny,Allow
 Deny from all
 Options None
 AllowOverride None
 </Directory>
 
 | 
 
 the / will be interpreted from Windows as the root e.g. C:\ or D:\ ...
 If you only run your server as a reverse proxy there is no security hole at all.
 
 And yes you need the permission part for the doc root which is the doc root for the reverse proxy, if you did not set up a a vhost.
 |  | 
| Back to top |  | 
| iiigoiii 
 
 
 Joined: 14 Dec 2007
 Posts: 1
 
 
 | 
|  Posted: Fri 14 Dec '07 23:41    Post subject: Re: Some ways to secure apache web server under Windows |   |  
| 
 |  
| just wanted to mention for those installing 2.x that the ServerSignature and ServerTokens directives are no longer in httpd.conf, but extra/httpd-default.conf. 
 and of course it goes without mentioning that the
 #Include conf/extra/httpd-default.conf
 line must be uncommented if changes are made to that file!
 
 
  	  | Quote: |  	  | Hide the Apache Version number, and other sensitive information 
 here are two directives that you need to add, or edit in your httpd.conf file:
 
  	  | Code: |  	  | ServerSignature Off
 ServerTokens Prod
 
 | 
 
 
 | 
 |  | 
| Back to top |  | 
| Mitron 
 
 
 Joined: 04 Jan 2006
 Posts: 63
 
 
 | 
|  Posted: Mon 17 Dec '07 8:59    Post subject: Re: Some ways to secure apache web server under Windows |   |  
| 
 |  
|  	  | James Blond wrote: |  	  | Restricting Access by IP
 If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:
 
 
  	  | Code: |  	  | Order Deny,Allow
 Deny from all
 Allow from 192.18.0.0/16
 
 | 
 
 | 
 
 Don't want to be a stickler or anything, but should this be?
 
  	  | Code: |  	  | Order Deny,Allow
 Deny from all
 Allow from 192.168.0.0/16
 
 | 
 |  | 
| Back to top |  | 
| ndricim 
 
 
 Joined: 19 Mar 2018
 Posts: 4
 Location: Kosovo, Ferizaj
 
 | 
|  Posted: Wed 20 Mar '19 14:37    Post subject: |   |  
| 
 |  
| How to i disable from browesing all System files with an filemanager like phpFileManager |  | 
| Back to top |  | 
| James Blond Moderator
 
  
 Joined: 19 Jan 2006
 Posts: 7442
 Location: EU, Germany, Next to Hamburg
 
 |  | 
| Back to top |  | 
| glsmith Moderator
 
  
 Joined: 16 Oct 2007
 Posts: 2268
 Location: Sun Diego, USA
 
 | 
|  Posted: Wed 20 Mar '19 23:25    Post subject: |   |  
| 
 |  
| If people should always be using the latest version, should this thread not be modified to follow suit (Require vs. Allow/Deny/Order/Satisfy)? 
 Problems can occur when mixing the two. This is why at Apache Haus mod_access_compat is not loaded by default (in contrast to how it's configured out of compiler).
 
 Quite frankly, once you have wrapped your head around it (which will take time), you will probably like it better.
 
 If you are using the old 2.2 style and have not wrapped your head around Order, you could easily shoot yourself in the foot. Probable? In most circumstances no. Still possible? Yes.
 |  | 
| Back to top |  |