Web Server Security Guidelines
January 2, 2011A web server is a program, which listens for http requests on a TCP/IP port (normally either port 80 or port 443) and serves html pages in response.
There are several web servers currently in the market. The most popular are:
- Apache
- SunONE
- Internet Information Server (IIS 6/7/8)
- NCSA
Specific methods for securing a web server largely depend on the operating system (OS) and web server software used. Apache can run on the Windows platform, but usually runs on Linux or some other flavor of Unix. IIS runs on the Windows server platforms. SunONE is the sum of sites running iPlanet-Enterprise, Netscape-Enterprise, Netscape-FastTrack, Netscape-Commerce, Netscape-Communications, Netsite-Commerce & Netsite-Communications.
Once a web server is set up, it is an invitation to the world to connect to it. The users may include potential hackers as well. The attackers may deface the web site, causing embarrassment. Or they may download confidential information, or steal credit card information. Or they may use the host as part of a distributed denial-of-service (DDOS) attack on another host.
In a defacing incident, the Web Manager may come to know that the web site has been hacked. But in other cases, it may not even be known that the site has been compromised. Hence, the security of a Web Server is of prime importance.
Before going into the specifics of securing computers and their services, we need to define the policies for how and by whom the Web Server will be used. This includes an acceptable use policy (AUP) for all users and a security policy. This policy is intended to define the rights and responsibilities of both the users and system administrators as well as define who these people are. This is really the first step in the security of any server as it sets out the rules that everyone is to follow. And when the rules are broken, the AUP also defines what happens to those who have broken them.
Planning
The organization should include explicit security requirements when selecting servers. There are many server vendors, and the security capabilities of their products vary accordingly. Many of the known and frequently exploited network server vulnerabilities apply only to certain products and platforms. If one considers security requirements when selecting servers, then it is possible to choose products with fewer vulnerabilities or select better security-related features, which can result in a substantially more secure site. This makes the long-term operation of web site more economical because by reducing the costs associated with administration tasks (such as patching systems) as well reduce costs caused by intrusions and their effects.
The Web Servers are tempting targets for intruders because of the following reasons:
- Public servers often have publicly known host names and IP addresses.
- Public servers may be deployed outside an organization’s firewall or other perimeter defenses.
- Servers usually actively listen for requests for services on known ports, and they try to process such requests.
The vulnerabilities are exploited by the intruders due to the operational issues not addressed by the System Administrators. Improper configuration or operation of the Web server can result in the inadvertent disclosure or alteration of confidential information.
Some of the effects of Web Server being compromised are as follows.
- Information assets of the organization are at risk.
- Information about the configuration of the server or network could be exploited for subsequent attacks
- Information about who requested which documents from the server is known
- Sensitive customer or user information is at risk
- The intruder may change the information stored on the Web server host machine, particularly the information intended to publish
- Execute unauthorized commands or programs on the server host machine including ones that the intruder has installed
- Gain unauthorized access to resources elsewhere in the organization’s computer network
- Launch attacks on external sites from the server host machine, thus concealing the intruders’ identities, and perhaps making the organization liable for damages
- Users can be disabled from accessing the Web site if all of its resources are consumed by a denial-of-service attack.
It is therefore essential to secure a Web Server through the following steps:
- Installing a Secure Server
- Configuring Web Server Software and the underlying Web Server host operating system
- Maintaining the Web Server’s Integrity
Installation & Configuration
It is recommended that a web server deployment plan be developed. It should take into consideration security issues related to the network architecture and the location of the Web servers. The deployment plan also involves following practices for increased security:
a. Determining how the Web Server will be connected to the network
b. Identifying the security concerns related to day-to-day administration of the Server.
c. Identifying the services offered by the server.
d. Identifying the network services that will be provided on the server.
e. Identifying the users or categories of users of the Web Server
f. Deciding how users will be authenticated and how authentication data will be protected
g. Developing intrusion detection strategies for the serverh. Documenting procedures for backup and recovery of information resources stored on the server.
i. Determining how network services will be maintained or restored after various kinds of faults
Practices that should be adopted by organization for installing and configuring web server are as follows:
Isolate the Web server from public networks and the organization’s internal networks.
Care must be taken while placing a public Web server on an organization’s network. It is highly recommended that the server be placed on a separate, protected subnetwork. This will ensure that traffic between the Internet and the server does not traverse any part of the private internal network and that no internal network traffic is visible to the server. To accomplish this, following steps may be taken:
- Place the web server on a subnet isolated from public and internal network.
- Use firewall technology to restrict traffic between a public network and the web server and between the web server and the internal network.
- Place the servers providing email, directory and database services in support of the web site on a protected subnetwork.
- Disable all source routing functions in the firewalls and routers protecting the public web server.
Disable IP forwarding and source routing on the web server and the server hosts that provide supporting services.
Configure the Web server with appropriate object, device, and file access controls. This is necessary for the following reasons
- To limit access to the Web server software
-
To apply access controls specific to the Web server where more detailed levels of access control are required
To configure this, following steps may be taken:
-
The web server should be configured to execute under a unique individual user and group identity. This is important for implementing access controls on various files, viz. Server log files, system software and configuration files, password files etc.
-
The protection needed for various files, devices and objects specific to the web server should be identified.
-
Time-outs and other controls to mitigate the effects of DOS attacks should be configured.
-
The file serving of web server file listings should be disabled.
Identify and enable Web-server-specific logging mechanisms.
Web server logs are needed to:
Alert about suspicious activity that requires further investigation
-
Determine the extent of an intruder’s activity
-
Help to recover the systems
-
Help to conduct an investigation
-
Provide information required for legal proceedings
This can be accomplished by
-
Identifying the web server software information to be logged, viz. Transfer log, Error log, Agent log, Referer log etc.
-
Logging mechanism may also be required for capturing the performance of various programs, scripts, and plug-ins supported by the web server.
Consider security implications before selecting programs, scripts, and plug-ins for the Web server. To overcome the vulnerabilities following steps may be undertaken:
-
Programs, scripts and plug-ins should be selected from a trustworthy source.
-
The functionality that the external programs provide should be well understood.
Configure the Web server to minimize the functionality of programs, scripts, and plug-ins. Security vulnerabilities can be easily introduced in the acquisition, installation, configuration, deployment, and operation of external programs (Programs, scripts, and plug-ins). To accomplish this following steps may be taken:
- Verification of the acquired copy of the external program to check if it is authentic.
- The external program acquired should be tested prior to putting it on the public web server.
- Security tools for checking vulnerabilities in these acquired programs should be used.
- Server Side Include functionality use should be disabled or restricted.
- Execution of external programs present in the web server should be disabled. These external programs may be present in the default web server configuration, they should be located and disabled if not essential.
- Configure the web server host operating system and the web server software access controls to restrict access to external programs.
Configure the Web server to use authentication and encryption technologies, where required.
Without strong user authentication, one may not be able to restrict access to specific information by authorized users. Before placing any sensitive or restricted (i.e. not for public consumption) information on a public Web server, one needs to determine the specific security and protection requirements and confirm that the available technologies, like SSL (Secure Socket Layer), S/HTTP (Secure Hypertext Transport Protocol), and SET (Secure Electronic Transaction). can meet these requirements.
Install security tools like whisker, ISS Internet Scanner, Nikto (A more comprehensive web scanner), SPIKE Proxy an open source HTTP proxy for finding security flaws in web sites. These tools help in finding the flaws in the web site as well as web server.
Operations & Maintenance
Maintain an authoritative copy of the Web site content on a secure host. The authoritative (i.e., verified,
correct, trusted) copy of the public Web site content needs to be stored on a host that is separate from (and more secure than) the public Web server. The more secure host should preferably be on the internal network of the organization and protected behind one or more firewalls.
-
Protect the Web server against common attacks. To accomplish this following actions are essential:
- Install Security tools like IDS, Integrity Checkers, Blocking and Filtering tools.
Update the installed detection tools to detect new attack patterns or events -
Reduce attacks by updating firewall filtering mechanisms to deny new attacks
-
Temporarily disable specific services that might be vulnerable to attack
-
Use secure methods for restoration
The best practices for the operation of a web server can be summarized as below:
-
- Place the web server(s) in a DMZ. Set the firewall to drop connections to the web server on all ports but http (port 80) or https (port 443).
- Limit the number of persons having administrator or root level access. Keep a record of the persons allowed such access.
- Log all user activity and maintain those logs either in an encrypted form on the web server or store them on a separate machine on the Intranet of the organization.
- Monitor system logs regularly for any suspicious activity. Install some trap macros to watch for attacks on the server. Create macros that run every hour or so that it would check the integrity of passwd and other critical files. When the macros detect a change, they should send e-mail to the system manager.
- Remove ALL unnecessary files from the scripts directory for example /cgi-bin in Unix.
Remove the “default” document trees that are shipped with Web servers.
- Apply all relevant security patches as soon as they are announced.
- If the machine must be administered remotely, require that a secure capability such as secure shell is used to make a secure connection. Do not allow telnet or non-anonymous ftp (those requiring a username and password) connections to this machine from any untrusted site. It would also be good to limit these connections only to a minimum number of secure machines and have those machines reside within the Intranet of the organization.
- Run the web server in a safe part of the directory tree so it cannot access the real system files.
- Run the anonymous FTP server in a safe part of the directory tree that is different from the web server’s tree.
- Do all updates from the Intranet. Maintain the web page originals on a server on the Intranet and make all changes and updates here; then “push” these updates to the public server through an SSL connection. If this is done on an hourly basis, this practice will help avoid having a corrupted server exposed for a long period of time.
- Scan the web server periodically with tools to look for vulnerabilities.
- Have intrusion detection software monitor the connections to the server. Set the detector to alarm on known exploits and suspicious activities and to capture these sessions for review. This information can help recover from an intrusion and strengthen the defenses.
Incident Handling
A web server administrator should take the following steps after discovering a successful compromise:
-
-
- Isolate compromised system(s) or take steps to contain attack so additional evidence can be collected
- Consult, as appropriate, with management, legal counsel, and law enforcement expeditiously and consult the organization’s security policy.
- Investigate “similar” hosts to determine if the attacker also has compromised other systems
- Analyze the intrusion, including:
- Modifications made to the system’s software and configuration
- Modifications made to the data
- Tools or data left behind by intruder
- Review system logs, intrusion detection, and firewall log files.
- Restore the system
- Install clean version of operating system, or Restore from backups
- Disable unnecessary services
- Apply all patches
- Change all passwords (even on uncompromised hosts as required)
- Reconfigure network security elements (firewall, router, IDS) to provide
- Additional protection and notification.
- Test system to ensure security
- Reconnect system to network
- Monitor system and network for signs that the attacker is attempting to access the system or network again.
- Report incident to CERT-In.
- Document lessons learned.
-
www.bestitdocuments.com