DOCSLIB.ORG

Guidelines on Securing Public Web Servers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-44 Title: Guidelines on Securing Public Web Servers Publication Date(s): October 2002 Withdrawal Date: September 2007 Withdrawal Note: SP 800-44 is superseded in its entirety by the publication of SP 800-44 Version 2 (September 2007). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-44 Version 2 Title: Guidelines on Securing Public Web Servers Author(s): Miles Tracy, Wayne Jansen, Karen Scarfone, Theodore Winograd Publication Date(s): September 2007 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-44ver2 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-44 Version 2 (as of June 19, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: June Ϯϯ, 2015 Special Publication 800-44 Guidelines on Securing Public Web Servers Recommendations of the National Institute of Standards and Technology Miles Tracy, Wayne Jansen, and Mark McLarnon NIST Special Publication 800-44 Guidelines on Securing Public Web Servers Recommendations of the National Institute of Standards and Technology Miles Tracy, Wayne Jansen, and Mark McLarnon C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2002 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director ii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-44 Natl. Inst. Stand. Technol. Spec. Publ. 800-44, xx pages (Mon. 2002) CODEN: XXXXX Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2002 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov – Phone: (202) 512-1800 – Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 iii Acknowledgements The authors, Wayne Jansen from NIST and Miles Tracy and Mark McLarnon from Booz Allen wish to express their thanks to colleagues at both organizations who reviewed drafts of this document. In particular, their appreciation goes to John Wack, Murugiah Souppaya, and Tim Grance from NIST, and Steve Allison, Scott Bisker, Alexis Feringa, Kevin Kuhlkin, and Jonathan Holleran of Booz Allen, for their research, technical support, and written contributions to this document. The authors would also like to express their thanks to all those who contributed input during the public comment period and who assisted with our internal review process. iv Guidelines on Securing Public Web Servers Table of Contents EXECUTIVE SUMMARY................................................................................................ES-1 1. INTRODUCTION..............................................................................................................1 1.1 AUTHORITY ..................................................................................................................1 1.2 PURPOSE AND SCOPE ....................................................................................................1 1.3 AUDIENCE AND ASSUMPTIONS .....................................................................................2 1.4 DOCUMENT STRUCTURE...............................................................................................2 2. WEB SERVER SECURITY PROBLEMS AND OVERVIEW........................................4 2.1 GENERAL INFORMATION SYSTEM SECURITY PRINCIPLES .............................................7 3. PLANNING AND MANAGEMENT OF WEB SERVERS.............................................9 3.1 PLANNING FOR A WEB SERVER DEPLOYMENT..............................................................9 3.2 SECURITY MANAGEMENT STAFF ................................................................................11 3.3 MANAGEMENT PRACTICES .........................................................................................13 3.4 SYSTEM SECURITY PLAN ............................................................................................14 3.5 HUMAN RESOURCES FOR SECURING A WEB SERVER ..................................................16 3.6 ALTERNATIVE WEB SERVER PLATFORMS...................................................................17 4. SECURING THE OPERATING SYSTEM.....................................................................20 4.1 SECURELY INSTALLING AND CONFIGURING AN OPERATING SYSTEM..........................20 4.2 SECURITY TESTING THE OPERATING SYSTEM .............................................................24 4.3 RESOURCES FOR OPERATING SYSTEM SPECIFIC SECURITY PROCEDURES ...................25 4.4 SECURING THE WEB SERVER OPERATING SYSTEM CHECKLIST ..................................25 5. SECURELY INSTALLING AND CONFIGURING THE WEB SERVER...................27 5.1 SECURELY INSTALLING THE WEB SERVER..................................................................27 5.2 CONFIGURING ACCESS CONTROLS..............................................................................28 5.3 USING FILE INTEGRITY CHECKERS .............................................................................34 5.4 SECURELY INSTALLING AND CONFIGURING THE WEB SERVER CHECKLIST ................35 6. SECURING WEB CONTENT ........................................................................................37 6.1 PUBLISHING INFORMATION ON PUBLIC WEB SITES.....................................................37 6.2 REGULATIONS REGARDING THE COLLECTION OF PERSONAL INFORMATION...............39 6.3 SECURING ACTIVE CONTENT AND CONTENT GENERATION TECHNOLOGIES ...............40 6.4 SECURING WEB CONTENT CHECKLIST........................................................................49 7. AUTHENTICATION AND ENCRYPTION TECHNOLOGIES...................................52 7.1 DETERMINING AUTHENTICATION AND ENCRYPTION REQUIREMENTS.........................52 7.2 ADDRESS-BASED AUTHENTICATION...........................................................................52 7.3 BASIC AUTHENTICATION ............................................................................................52 7.4 DIGEST AUTHENTICATION ..........................................................................................53 7.5 SSL/TLS....................................................................................................................53 v Guidelines on Securing Public Web Servers 7.6 WEB AUTHENTICATION AND ENCRYPTION TECHNOLOGIES CHECKLIST .....................62 8. IMPLEMENTING A SECURE NETWORK FOR A WEB SERVER...........................64 8.1 NETWORK LOCATION .................................................................................................64 8.2 NETWORK ELEMENT CONFIGURATION .......................................................................69 8.3 NETWORK INFRASTRUCTURE CHECKLIST ...................................................................76 9. ADMINISTERING A WEB SERVER............................................................................78 9.1 LOGGING ....................................................................................................................78 9.2 WEB SERVER BACKUP PROCEDURES..........................................................................82 9.3 RECOVERING FROM A SECURITY COMPROMISE ..........................................................85 9.4 SECURITY TESTING WEB SERVERS .............................................................................87 9.5 REMOTELY ADMINISTERING A WEB SERVER..............................................................90 9.6 SECURELY ADMINISTERING A WEB SERVER CHECKLIST ............................................91 APPENDIX A. SECURING APACHE WEB SERVER......................................................A-1 A.1 INSTALLATION..........................................................................................................A-1
Recommended publications
  • AN-POV-006 – Configuring Local Viewer, Secure Viewer, and Web Clients in POV

    AN-POV-006 – Configuring Local Viewer, Secure Viewer, and Web Clients in POV

    AN-POV-006 – Configuring Local Viewer, Secure Viewer, and Web Clients in POV Implementation Specifications or Requirements Category Item POV Version: 7.1 SP2 and later Service Pack: N/A Software Windows Version: WinXP/2000/Server2003/2008, Vista, Windows 7/8 Web Thin Client: Yes Panel Manufacturer: N/A Panel Model N/A Other Hardware N/A Equipment Comm. Driver: All Controller (e.g.: PLC) All Application Language: N/A Software Demo Application N/A . Summary Point of View (POV) supports both Local and Remote Viewing. Local Viewing is the traditional method of visualizing Screens, whereby the PC running the application uses the PC’s graphics controller to generate the visual information on an attached monitor. Remote Viewing is what we generically call a Web Client Solution. Support for Web Clients is built into Point of View, providing cost-effective machine and process monitoring/control from a networked PC, whether that PC is in the same building or half-way around the world. The networked PC (i.e. the Web Thin Client) needs only minimal features, sufficient to support a thin client (Web Browser or Secure Viewer runtime). Point of View Thin Client Solution supports two different application hosts; Microsoft Internet Explorer or a Point of View-developed host called Secure Viewer. For simplicity, when Microsoft Internet Explorer is used as the browser, it is referred to as a Web Thin Client, and when the Secure Viewer browser is used, it is referred to as a Secure Viewer Thin Client. The Secure Viewer Thin Client supports the feature to disable the ability of the current user to navigate outside the (Point of View) application, and is ideally suited for stations dedicated to run the application.
  • Securing IIS 6.0 Web Server

    Securing IIS 6.0 Web Server

    CERT-In Security Guideline CISG-2006-01 CERT-In Indian Computer Emergency Response Team Enhancing Cyber Security in India Securing IIS 6.0 Web Server Department of Information Technology Ministry of Communications and Information Technology Govt. of India Version: 1.0 Issue Date: 11-10-2006 SECURING IIS 6.0 WEB SERVER 1 CERT-In Security Guideline CISG-2006-01 Table of Contents 1. Introduction 4 2. Overview of IIS 6.0 5 2.1 Salient Architectural Features of IIS 6.0 5 3. Host Security 8 4. Secure IIS Configuration 9 4.1. Minimize Default Installation 9 4.1.1 Essential IIS components & services 9 4.1.2 Delete default sample files and websites 12 4.1.3 Web Services Extensions 12 4.1.4 Disable File System Object (FSO) Component 13 4.1.5 Enable Only Essential MIME Types 13 4.2. User Rights and Permissions 14 4.2.1 IIS User Accounts 14 4.2.2 Authentication 16 4.2.3 Metabase Permissions 18 4.2.4 Fine Tune Metabase Settings 19 4.2.5 Securing IIS Website Permissions 20 4.2.6 Securing the Web Site Directory and Content 21 4.2.7 Setting IP Address and Domain Name Restrictions 22 4.2.8 Isolating Applications 23 4.2.9 Evaluating the effects of Impersonation on Application Compatibility 24 4.2.10 Configure Web Sites and Applications for Isolation 24 4.3. Other Security configurations 26 4.3.1 Configure the custom error Pages 26 4.3.2 Configuring Secure Sockets Layer 26 4.3.3 Logging 27 4.3.4 Backup 31 4.3.5 Network Security 31 4.3.6 Reviewing Security Policies, Processes & Procedures 32 5.
  • IIS Administration Tools IIS 7.0 Uses a New IIS Manager That Brings All the IIS and ASP.NET Configurations Into One Management Location

    IIS Administration Tools IIS 7.0 Uses a New IIS Manager That Brings All the IIS and ASP.NET Configurations Into One Management Location

    97823c01.qxd:WroxPro 2/4/08 6:47 PM Page 1 Part I: Introduction and Deployment Chapter 1: Background on IIS and New Features in IIS 7.0 Chapter 2: IIS 7.0 Architecture Chapter 3: Planning Your Deployment Chapter 4: Installing IIS 7.0 COPYRIGHTED MATERIAL 97823c01.qxd:WroxPro 2/4/08 6:47 PM Page 2 97823c01.qxd:WroxPro 2/4/08 6:47 PM Page 3 Background on IIS and New Features in IIS 7.0 Microsoft’s Internet Information Services (IIS) has been around for more than a decade, from its first incarnation in Windows NT 3.51 to the current release of IIS 7.0 on the Windows Server 2008 and Vista platforms. It has evolved from providing basic service as an HTTP server, as well as additional Internet services such as Gopher and WAIS, to a fully configurable application services platform integrated with the operating system. IIS 7.0 is a dramatic change in the way IIS is configured and managed. Modularity, granularity, and interoperability are the guiding factors across the entire product, from setup to security, man- agement to automation. Integrated heavily into the operating system, IIS 7.0 benefits from the improvements in the Windows Server 2008 operating system but IIS has been re-engineered to meet the demands of a true application platform. This chapter will provide you with an overview of the changes in IIS 7.0 as well as a sampling of some of the new technologies. If you are familiar with IIS 6.0, you will want to skim through this chapter for changes before digging into future chapters for specifics.