Apache Configuration and PCI Compliance - Configuration Change #3
Check out the new HOWTO Guides section for an up-to-date version of this post.
I have launched a new section on this site and you can find HOWTO: Disable Trace and Track in Apache HTTPD there.
In previous articles, I posted about the need to secure your Apache server using ServerTokens and setting SSLProtocol and SSLCipher directives to disable SSLv2 and null and weak ciphers. This post will concentrate on disabling certain http methods because they are enabled by default in Apache and because they will haunt you after your next quarterly pci compliance scan.
If you are running IIS6 or later, you're in luck. The TRACE method is disabled by default, although TRACK does work. This is not the case with Apache however and if you run lots of sites, your very first PCI Compliance scan will have all of your apache sites listed as vulnerable to the "HTTP TRACE/TRACK Method Support Cross-Site Tracing Vulnerability".
The one way that I know of to do away with this is with a mod_rewrite rule. There are lots of examples out there on the web for this but here's one below. You need to make sure that you are loading mod_rewrite.so in your apache configuration. Then it's just a matter of adding the following to your httpd.conf (or httpsd.conf):
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Alternatively, if you are using a newer version of Apache, you can add the TraceEnable directive and set it to "Off".
You don't necessarily need to disable TRACK in Apache but if you're looking to cover all your bases, modify the rewrite rule as follows to disable TRACE, TRACK, and OPTIONS.
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
Why disable OPTIONS? There is no real good reason that I've been able to find. I do not know if some Approved Scanning Vendors will mark you out-of-compliance for TRACE if they simply submit an "OPTIONS *" request against your site. (If you disable TRACE and submit an OPTIONS request, TRACE still shows up as an Allowed communication method on Apache and IIS) However, I've had reports that if you make spreadsheets available and want to open them in place using Excel, disabling OPTIONS will cause problems if the resource is SSL protected. I've also experienced first hand that some versions of CICS will submit an OPTIONS request prior to submitting a POST, so if some of your mainframe customers are using an older version of CICS, disabling OPTIONS could cause them problems.
