The Apache Web server provides administrators with an extremely flexible access control system that allows the delegation of access control to those responsible for maintaining individual directories. This is ideal for Web servers run by Internet Service Providers, educational institutions and others with a need to support Web pages maintained by large numbers of users.
This access control system uses files known as .htaccess files stored in each directory of the Web server. These files contain explicit access control entries that either grant or deny access to users or groups of users based upon their IP address, authentication status or other criteria.
While it's true that .htaccess files provide a powerful option for the delegation of security control, it's essential that administrators who don't require that level of delegation disable this functionality. Putting security control of various directories in the hands of numerous people (particularly those unskilled in the art of information security!) represents a tremendous risk to the entire system.
Fortunately, disabling .htaccess files on a global basis is extremely easy. Just use the following statement in your Apache server configuration file:
<Directory />
AllowOverride None
</Directory>
It's important to ensure that your server is configured properly and that this is the only AllowOverride statement. It is permissible to override this general directive and enable .htaccess files for particular directories that require their use. In fact, this is the preferred method of enabling .htaccess when circumstances warrant. Simply set the global AllowOverride setting to None, and then provide a list of exceptions to the general rule.
Think carefully before allowing users to implement .htaccess files on your server. Is it really necessary? Unless each user requesting such access can provide a specific justification, it's safe to err on the side of denying such requests.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
