| Like what you see? Get it in one document for easy printing! |
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31) |
|
| Test yourself better with 300 extra Security+ questions! |
| Get It Here! |
|
|
3.6 Summary
(Page 7 of 10)
Hardening Web Servers
Web servers are frequently business-critical
for both internal use, and for allowing customers and business partners
access to some company resources (to allow them to order, check status,
share information, etc.) They generally use port 80 (for HTTP) and
port 443 (for SSL, or HTTP/S). No matter whose web server software,
and what version of it, you use, you are likely vulnerable now, or will
be vulnerable in the future, to a web-server-based exploit, so stay
on top of updates to the web server software. Some steps you may want
to take when hardening a web server include:
- Ensure that the web server is not running any
additional services it does not require, such as FTP (if you don’t
use it), databases (which should be on a different machine), etc.
- Follow vendor-provided and user-community provided
guidelines for securely configuring the web server (specific to each
type of server).
- Remove any sample scripts and pages provided
by the vendor that you are not using, and for that matter, any other
scripts and pages you might have installed that you are no longer using
(each is a potential vulnerability, and vendor-provided scripts have
OFTEN been the source of exploits).
- Harden any third-party products you’re using
like java server engines, Cold Fusion engines, etc., by referring to
vendor-provided and user-community-provided guidelines for securing
those products.
- Follow secure coding principles for software
developed in-house or by consultants, to reduce vulnerability to attacks
like buffer overflows and SQL injection (users embedding malicious code
into form data used to update or query databases).
Consider employing a web-server-specific
scanner to probe your server for known exploits, to help ensure that
you have locked it down as well as possible.
Hardening Email Servers
Email servers are another tool critical
for internal and external communication. For sending and receiving
email between other servers, and receiving email from clients, they
employ TCP port 25 (SMTP). For allowing clients to check their email
boxes and retrieve email for reading on their PC’s, email servers
use either port 110 (POP3) or port 143 (IMAP), or both. For a client
behind your firewall to retrieve email from an Internet-based mail server,
you must open outbound port 110 or 143 on your firewall. For a client
outside your firewall to retrieve email from an internal server on your
network, you must open inbound port 110 or 143 on your firewall. Like
web servers and other common servers, email server software is a known
source of many vulnerabilities; few email servers have never fallen
victim to a security bug, so keep up to date on vulnerability notices
and patches. Make sure that you have closed any “open relays”
in your organization.
| If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support! |
|
|
Home -
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.
|
