WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines
           9  3.5.3  Application Hardening

Previous Topic/Section
3.5.3.1  Updates
Previous Page
Pages in Current Topic/Section
1
2
34
Next Page
 3.5.3.3  Email Servers
Next Topic/Section

3.5.3.2  Web Servers
(Page 2 of 4)

Hardening Web Server Software



The first thing to do is to make sure you’re running with the latest security patches. Check your vendor site and the popular security sites for details. It almost seems like the popular web servers have regularly scheduled “bugs of the week”, including buffer overflows, privilege issues, etc.

Second, configure the web server securely.

[spacer]IIS/Apache Web Hardening

For the Windows platform, MS provides two tools specifically aimed at increasing IIS security. IIS Lockdown Wizard, provides templates for the major IIS-dependant Microsoft products – turning off unnecessary features. The URLScan tool scans all incoming requests to the server and filters them based on rules set by the Administrator.361 This can help you avoid known attacks which have been reported but for which a patch may not yet be available. An interesting summary of some common IIS vulnerabilities can be found in Hacking Exposed: Windows 2000362 by Scambray and McClure.

For Apache, check out Maximum Apache Security363 by Anonymous, which includes coverage of using OpenSSL with Apache, setting up access control, URL mapping, log management, configuration parameters relevant to security, etc. This book looks at the recently released Apache 2.0 as well as Apache 1.3.

More information about securing the Apache web server (was well as some amusing tales about grey-hatting Berkeley UNIX back in the day when it was actively under development) can be found in Real World Linux Security by Bob Toxen364 Information about using the mod_ssl extension to Apache can be found in Maximum Linux Security, mentioned above. Setting up restrictions based on user authentication, as well as, more about SSL and Apache can be found in Linux Apache Web Server Administration365 by Aulds.


Some general guidelines for securing web servers include the following:

  • Don’t use the web server for anything but web serving.

  • Don’t run the web server as System, root or any admin user.

  • Remove any demo or “cute” applications… these tend to only provide places for latent bugs to hide, and when found, they will be exploited by attackers.

  • Watch for client packages like front page that install scripts on the server (see: third party apps, below).

  • Disable (or don’t install) any server features you don’t need.

  • Disable automatic listing of files in directories which do not contain a default HTML page (these can reveal other files on your system and might be a security risk).

  • Check file permissions of items in the web servers’ directories regularly.

  • Avoid making system directories such as \WINDOWS or /etc accessible via the web server (or FTP server or …)

  • Don’t let your users install random CGI scripts or programs – it might be possible to abuse them to do unintended malicious things.

  • Along the same lines, inspect any scripts from the net carefully before installing them.

Reducing Web Exposure

To reduce the vulnerability of your web server to attacks, make sure that the OS and web server software is updated with the latest security patches, do not run any additional services on the web server, remove any scripts and pages that you are not actively using, and make sure you have locked down directory permissions to not allow updates or retrieval of unauthorized files.



 __________________

361. Peikari, Cyrus and Seth Fogie, Windows .NET Server Security Handbook, Prentice-Hall, April, 2002, http://www.nerdbooks.com/item.html?id=0130477265

362. Scambray, Joel and Stuart McClure, Hacking Exposed: Windows 2000, McGraw-Hill, September, 2001, http://www.nerdbooks.com/item.html?id=0072192623

363. Anonymous, Maximum Apache Security, Sams, May, 2002, http://www.nerdbooks.com/item.html?id=067232380X

364. Toxen, Bob, Real World Linux Security, Prentice-Hall, November, 2000, http://www.nerdbooks.com/item.html?id=0130281875

365. Aulds, Charles, Linux Apache Web Server Administration, Sybex, September, 2002, http://www.nerdbooks.com/item.html?id=0782141374

Previous Topic/Section
3.5.3.1  Updates
Previous Page
Pages in Current Topic/Section
1
2
34
Next Page
 3.5.3.3  Email Servers
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.