The Apache docs recommend dong this to setup a default deny to file locations:
<Directory "/">
Require all denied
</Directory>
Do I do that in httpd.conf or do I add that to each <virtualhost> entry?