Securing apache server windows

If you did not do a binary install, Apache will in some scenarios complain about the missing registry key. This warning can be ignored if the server was otherwise able to find its configuration file. The value of this key is the ServerRoot directory which contains the conf subdirectory. When Apache starts it reads the httpd. If this file contains a ServerRoot directive which contains a different directory from the one obtained from the registry key above, Apache will forget the registry key and use the directory from the configuration file.

If you copy the Apache directory or configuration files to a new location it is vital that you update the ServerRoot directive in the httpd. After starting Apache either in a console window or as a service it will be listening on port 80 unless you changed the Listen directive in the configuration files or installed Apache only for the current user.

To connect to the server and access the default page, launch a browser and enter this URL:. Apache should respond with a welcome page and you should see "It Works! If nothing happens or you get an error, look in the error. If you happen to be running Apache on an alternate port, you need to explicitly put that in the URL:. Once your basic installation is working, you should configure it properly by editing the files in the conf subdirectory.

Again, if you change the configuration of the Windows NT service for Apache, first attempt to start it from the command line to make sure that the service starts with no errors.

These conflicting services include other WWW servers, some firewall implementations, and even some client applications such as Skype which will use port 80 to attempt to bypass firewall issues. Mapped drive letters allow the administrator to maintain the mapping to a specific machine and path outside of the Apache httpd configuration.

However, these mappings are associated only with interactive sessions and are not directly available to Apache httpd when it is started as a service. Use only UNC paths for network resources in httpd. Arcane and error prone procedures may work around the restriction on mapped drive letters, but this is not recommended. When running Apache httpd as a service, you must create a separate account in order to access network resources, as described above. If more than a few dozen piped loggers are used on an operating system instance, scaling up the "desktop heap" is often necessary.

For more detailed information, refer to the piped logging documentation. Copyright The Apache Software Foundation. Licensed under the Apache License, Version 2.

Customizing Apache for Windows Apache is configured by the files in the conf subdirectory. The main differences in Apache for Windows are: Because Apache for Windows is multithreaded, it does not use a separate process for each request, as Apache can on Unix.

The process management directives are also different: MaxConnectionsPerChild : Like the Unix directive, this controls how many connections a single child process will serve before exiting. Warning: The server configuration file is reread when a new child process is started. If you have modified httpd. You can install Apache as a Windows NT service as follows from the command prompt at the Apache bin subdirectory: httpd. Never grant any network privileges to the LocalSystem account! Stack Gives Back Featured on Meta.

New post summary designs on greatest hits now, everywhere else eventually. Related Hot Network Questions. Question feed. Server Fault works best with JavaScript enabled. Accept all cookies Customize settings. If this option is enabled, an attacker can simply discover and view any file. This could potentially lead to the attacker decompiling and reverse engineering an application in order to obtain the source code. They can then analyze the source code for possible security flaws or obtain more information about an application, such as database connection strings, passwords to other systems, etc.

You can disable directory listing by setting the Options directive in the Apache httpd. A default installation of the Apache HTTP server may include many pre-installed and enabled modules that you do not need. To add insult to injury, some web server administrators have a tendency to take the path of least resistance and enable all the remaining modules in httpd.

This, however, also opens up the Apache server to any security issues that might exist or be discovered in the future for the enabled modules. The Apache module documentation lists and explains all the modules available for Apache. Research the modules that you have enabled and make sure that they are really required for the functionality of the website.

Unnecessary modules should be disabled by commenting out a specific LoadModule line. This can be done by. This information might prove vital to a hacker to craft an attack against the webserver. So, always ensure that this status is disabled. Retaining the ServerSignature directive enabled displays Apache configuration details as a footer. The details include the version of Apache and OS server name. In order to prevent Apache from broadcasting this sensitive information, the ServerSignature directive in the Apache configuration file needs to be disabled.

The ServerToken directive decides exactly what details about the server needs to be transferred or displayed in the server response header field. Multiple syntaxes as listed in the Apache ServerTokens documentation can be included along with this directive. To change, it includes the below-mentioned directive in the Apache configuration file.

The default TraceEnable On allows Trace. It does not permit any request body to process a request. It permits cross-site tracking issues and potentially helps a hacker to steal the cookie details. This directive can be displayed by modifying the configuration file TraceEnable Off. The default installation of Apache includes multiple numbers of pre-installed and enabled modules that are not always required.

In most cases, all the modules are enabled to ensure that the server works without any trouble. Such enabling of all modules might pave the way for security threats. The details of all the modules are listed in the Apache documentation module. A careful study of the module is required to clearly understand the requirement of the exact modules for the proper functioning of the application. The rest of the modules need to be deleted.

This can be done by including in front of the LoadModule line. Directory listing includes a list of directory contents that provide details of all the files from that website. Enabling this directive can assist a hacker to easily discover and view any file. Analyzing the source code can lead to security flaws and abstract more crucial inputs about the application such as database connection strings, passwords to other systems, etc.

To disable the directive listing, a new entry is created with an Options directive for a specific directory in the Apache configuration file. LimitRequestFields: The value of this field needs to be minimized as per the requirements. This regulates the number of client requests that get accepted. The default value is This can be lowered if an attack occurs as a result of many Http request headers.

Timeout: This directive permits to set the amount of time the server needs to wait for certain events to complete before it fails. The default value is secs. This value should be set to a minimum on those websites that are prone to DDOS attacks.