Apache on Linux/UNIX gets a lot of love because it's an incredibly powerful web server combination and a cost-effective solution. Apache on Windows often gets overlooked because most companies purchase Windows servers with Internet Information Services (IIS) and choose to make use of that expenditure. But in many cases, Apache makes for a superior web server.
Securing Apache on a Windows machine is a bit different than on the Linux/UNIX platform. This collection of tips will help you secure your Windows Apache MySQL PHP (WAMP) server from the Apache front. These tips don't require you to have expert-level Apache knowledge. However, you'll be editing Apache configuration files manually, so you'll need admin rights to those files.
Hide your server signature
By default, your Apache server will broadcast the server signature, which includes the Apache version number and other possibly sensitive information. In order to stop that signature from appearing, you need to open the httpd.conf file.
Most WAMP servers give you quick access to this through the system tray icon (this is the case with the official WampServer). If you left-click the WAMP system tray icon, select Apache >> httpd.conf (Figure A) to open that file with your default editor. This works for Apache 1.x. If you're using Apache 2.x, the server signature directives are now housed in extra/httpd-default.conf. The full path to this file will be something like C:/wamp/bin/apache/apache2.2.22/conf/extra/httpd-default.conf.
The WAMP system tray controls.
With that file open, you need to search for the string:
If you find it, and it's set to On, you'll need to change that setting to Off. If you do not find it, you'll need to add the following:
By setting ServerTokens to Prod, Apache will set the response headers as simply:
Restart the Apache server (this can be done from the WAMP system tray icon), and your server should no longer be broadcasting sensitive information about itself.
Make sure files outside of the document (web) root are not served
Files outside of the document root should never be viewable/available to the public. To prevent this, you need to tell Apache to allow the viewing of files in the document root, but not allow the viewing of files outside of that. To do this, open the httpd.conf file and create a new directory tag that looks like this:
Deny from all
Allow from all
The above assumes the correct document root for your WAMP server is C:/apache2/htdocs/. If your document root is different, modify the above to reflect the variance.
Also, the above sets all options to none, which means options such as server side includes, CGI execution, directory browsing, and more are not available for your server. To enable those options, you need to know what option you want and the directive used for it. Once you have that information, you can add it into the Options directive like so:
Options -ExecCGI -Includes -Indexes
Reduce timeouts to prevent DoS attacks
An issue you don't want to deal with is denial of service (DoS) attacks on your Windows machine. To fix this you need to change the timeout directive within the httpd-default.conf file from the default of 300 to 60. From within the httpd-default.conf file, look for the following:
and change it to:
Restart the Apache services, and you should be good to go.
Set a MySQL password
By default, most WAMP servers come with MySQL set with no password. That is fine for development, but if you want to use this for a public-facing server, you'll want to set a password. If you're using the WAMP server from WampServer.com, follow these steps:
- Left-click the WAMP icon in the system tray.
- Select MySQL | MySQL console.
- When the console window is open and prompts you for a password, hit Enter.
- From the command line, enter SET PASSWORD FOR root@localhost=PASSWORD('password'); (password is the new password to be set).
- Hit Enter.
If the password change is successful, you should see Query OK. Close the MySQL console window and attempt to open it again. This time, when prompted for a password, enter the new password and you should land at the MySQL prompt (Figure B).
The MySQL console is ready for action.
Your WAMP server is now more secure than it was out of the box. Although many consider WAMP to be best used for development rather than production, if you're careful, you can make use of the WAMP server to serve up sites to the public without worry. Of course, with a machine connected to the network, it is vulnerable, so security best practices must be deployed to help ensure the safety of your data.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.