Setup guide

not intended to be a web server. Second, secure web administration demands

scrutiny of some basic configuration settings. Third, SSL encryption should be used

to encrypt any sensitive web traffic. Securely configuring all features of the Apache

Web Server is beyond the scope of this document. Apple’s “Mac OS X Server Web

Technologies Administration” manual provides an introduction to basic web services

on Mac OS X and security issues involved. The Apache project web page

(http://www.apache.org/

) provides complete documentation, and the Center for

Internet Security (http://www.cisecurity.org

) provides an Apache Benchmark and

Scoring tool. Basic configuration guidance that can be done using the Server

Manager tool is given in this section.

4.6.1 Disable the Web Server

If the system is not intended to be a web server, deactivate web services using the

Server Admin tool. On a newly-installed system, the web server should be off by

default, but verification is recommended. To deactivate web services:

1. Open Server Admin.

2. Click Web in the list for the server you want.

3. Verify that the top of the Overview window says “Web Service is: Stopped.”

If not, stop the service by clicking the Stop Service button at the top of the

window.

4.6.2 Basic Security Settings

If the system must act as a web server, check some basic security-relevant web server

settings:

1. Open Server Admin.

2. Click Web in the list for the server you want.

3. Click Settings.

4. Click Modules.

5. Uncheck all the boxes except for the modules that your site requires.

6. Click Sites.

7. Double-click on your site in the list. A new pane with configuration

options for that site should appear.

8. Click the Options tab.

9. Uncheck the boxes for Folder Listing, WebDAV, CGI Execution, and

WebMail unless they are required.

See the other resources for more detailed security configuration settings.

UNCLASSIFIED