I'm no expert, just thought I'd help with what I know.
according to what I've read Apache is the most secure server available
There are user accounts in Mercury, Phpmyadmin, Mysql, ect. that need passwords or deletion (ie:newuser,pma, test) Check all modules for default accounts and redo passwords in any .htpasswd files you find.
you can protect directories easily by ensuring it has a index.* file or
There is an Options Tag in httpd.conf found under the default path
C:\apachefriends\xampp\apache\conf\httpd.conf
Look for
Options Indexes FollowSymLinks MultiViews Includes ExecCGI
AddType text/html .shtml
AddHandler server-parsed .shtml
AddHandler cgi-script .cgi .pl
The Indexes parameter is displaying the directory when no index file is found.
You will find the Option directive in Aliases defined also.
Alias /phpmyadmin "C:/apachefriends/xampp/phpmyadmin/"
<Directory "D:/apache/xampp/phpMyAdmin/">
Options Indexes MultiViews ExecCGI
DirectoryIndex index.php
Order allow,deny
Allow from all
</Directory>
for more info goto
http://httpd.apache.org/docs-2.0/mod/core.html#options