WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines
           9  3.5.3  Application Hardening

Previous Topic/Section
3.5.3.1  Updates
Previous Page
Pages in Current Topic/Section
12
3
4
Next Page
 3.5.3.3  Email Servers
Next Topic/Section

3.5.3.2  Web Servers
(Page 3 of 4)

Hardening Third-Party Server Applications



In order to harden the applications on your web server, you need to find out what third party applications and tools are on your web server. These may be a mix of end-user applications such as CRM applications and programming environments like Java or Perl. If your developers were given free reign over the server in order to roll out an application in a timely fashion, ask them what they installed in addition to their own code. Otherwise, you probably have some idea of what run-time environments like a java application server were installed on your web server.

After you have made that list, take a long, hard look at that list of third party applications on your server. Do you REALLY need ALL of them? Each additional application is another potential point of vulnerability. Particularly, if you’re running a database and storing sensitive data on your web server (or anywhere on the same side of your firewall as your web server), strongly consider moving the database to another machine. Your web server is a security compromise waiting to happen. You want to take all possible steps to minimize not just the chances of a break-in, but also the loss the company incurs, if one occurs. It’s bad enough for a web server to get “rooted”. It’s worse for the attacker to make off with a list of 20,000 credit card numbers because he had access to the database stored on the same server.

Once you know the applications you MUST have on the server, check the vendor’s web site and security sites for information about current vulnerabilities and take the recommended steps. Also double-check any configurations with security in mind.

[spacer]Third Party Hardening

Information about securely programming and configuring these third-party applications is not quite as easy to find as is information about web servers themselves – in part because the audience for these is smaller than is the audience for the major web servers. However, here are some sources that might help get you started (be warned, they’re mostly programmers’ books):

1. More Servlets and Java Server Pages366 by Hall, which covers the use of different kinds of authentication, role-based security and the configuration of the Tomcat open source JSP server.

2. BEA WebLogic Server Bible367 by Zuffoletto, which covers programming for security in that environment, logging, setting up clustering for redundancy, and an intro to security concepts interesting to someone maintaining a web server.

3. Other books are available which include coverage of security topics for platforms like Cold Fusion and other commonly used web application environments.



 __________________

366. Hall, Marty, More Servlets and Java Server Pages, Prentice-Hall, December, 2001, http://www.nerdbooks.com/item.html?id=0130676144

367. Zuffoletto, Joe, BEA WebLogic Server Bible, Hungry Minds, February, 2002, http://www.nerdbooks.com/item.html?id=0764548549

Previous Topic/Section
3.5.3.1  Updates
Previous Page
Pages in Current Topic/Section
12
3
4
Next Page
 3.5.3.3  Email Servers
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.