STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 21 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Apache Server 2.4 UNIX Site Security Technical Implementation Guide

V-214304

CAT III (Low)

The Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.

Rule ID

SV-214304r1211013_rule

STIG

Apache Server 2.4 UNIX Site Security Technical Implementation Guide

Version

V2R7

CCIs

CCI-001762CCI-000366

Discussion

Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services that are deemed nonessential to the server mission, are too unsecure, or are prohibited by the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments. Configuring the web server to implement organizationwide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security baseline across the DOD that reflects the most restrictive security posture consistent with operational requirements. Satisfies: SRG-APP-000516-WSR-000174, SRG-APP-000383-WSR-000175

Check Content

Review the website to determine if HTTP and HTTPS are used in accordance with well-known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DOD PPSM. 
 
Verify that any variation in PPS is documented, registered, and approved by the PPSM. 
 
If well-known ports and services are not approved for use by PPSM, this is a finding.

Fix Text

Ensure the website enforces the use of IANA well-known ports for HTTP and HTTPS.