A systems administrator is hardening a newly deployed Apache web server on a Linux host. The server's primary function is to serve a simple, static HTML website. A security audit requires minimizing the application's attack surface. Which of the following is the MOST direct application hardening action the administrator should take?
Install and configure a Host Intrusion Detection System (HIDS).
Disable unnecessary Apache modules like mod_userdir, mod_actions, and mod_cgi.
Configure the host firewall to only allow inbound TCP traffic on ports 80 and 443.
Configure the Apache service to run as a dedicated, non-privileged user.
The correct answer is to disable unnecessary Apache modules. Application hardening focuses on securing the application itself. A default Apache installation may enable numerous modules that are not required for a simple static website, and each enabled module increases the application's attack surface by exposing more code to potential vulnerabilities. Disabling unused modules like mod_userdir, mod_actions, and mod_cgi is a direct application hardening measure that reduces this risk.
Configuring the host firewall is an example of OS hardening, as it controls network access at the operating system level, not within the application itself. Configuring the Apache service to run as a non-privileged user is a critical security best practice that implements the principle of least privilege, but it is more of an OS-level control on the process's permissions rather than a reduction of the application's inherent features. Installing a Host Intrusion Detection System (HIDS) is a detective control for monitoring the host, not a preventative hardening technique for the application's configuration.