Archived NIST Technical Series Publication
The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below).
Archived Publication Series/Number: NIST Special Publication 800-44 Title: Guidelines on Securing Public Web Servers
Publication Date(s): October 2002 Withdrawal Date: September 2007 Withdrawal Note: SP 800-44 is superseded in its entirety by the publication of SP 800-44 Version 2 (September 2007).
Superseding Publication(s) The attached publication has been superseded by the following publication(s):
Series/Number: NIST Special Publication 800-44 Version 2 Title: Guidelines on Securing Public Web Servers
Author(s): Miles Tracy, Wayne Jansen, Karen Scarfone, Theodore Winograd
Publication Date(s): September 2007 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-44ver2
Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-44 Version 2 (as of June 19, 2015) attached publication: Related information: http://csrc.nist.gov/
Withdrawal N/A announcement (link):
Date updated: June Ϯϯ, 2015 Special Publication 800-44
Guidelines on Securing Public Web Servers
Recommendations of the National Institute of Standards and Technology
Miles Tracy, Wayne Jansen, and Mark McLarnon
NIST Special Publication 800-44 Guidelines on Securing Public Web Servers
Recommendations of the National Institute of Standards and Technology
Miles Tracy, Wayne Jansen, and Mark McLarnon
C O M P U T E R S E C U R I T Y
Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930
September 2002
U.S. Department of Commerce Donald L. Evans, Secretary
Technology Administration Phillip J. Bond, Under Secretary for Technology
National Institute of Standards and Technology Arden L. Bement, Jr., Director
ii
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
National Institute of Standards and Technology Special Publication 800-44 Natl. Inst. Stand. Technol. Spec. Publ. 800-44, xx pages (Mon. 2002) CODEN: XXXXX
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2002
For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov – Phone: (202) 512-1800 – Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
iii Acknowledgements
The authors, Wayne Jansen from NIST and Miles Tracy and Mark McLarnon from Booz Allen wish to express their thanks to colleagues at both organizations who reviewed drafts of this document. In particular, their appreciation goes to John Wack, Murugiah Souppaya, and Tim Grance from NIST, and Steve Allison, Scott Bisker, Alexis Feringa, Kevin Kuhlkin, and Jonathan Holleran of Booz Allen, for their research, technical support, and written contributions to this document. The authors would also like to express their thanks to all those who contributed input during the public comment period and who assisted with our internal review process.
iv Guidelines on Securing Public Web Servers
Table of Contents
EXECUTIVE SUMMARY...... ES-1
1. INTRODUCTION...... 1 1.1 AUTHORITY ...... 1 1.2 PURPOSE AND SCOPE ...... 1 1.3 AUDIENCE AND ASSUMPTIONS ...... 2 1.4 DOCUMENT STRUCTURE...... 2 2. WEB SERVER SECURITY PROBLEMS AND OVERVIEW...... 4 2.1 GENERAL INFORMATION SYSTEM SECURITY PRINCIPLES ...... 7 3. PLANNING AND MANAGEMENT OF WEB SERVERS...... 9 3.1 PLANNING FOR A WEB SERVER DEPLOYMENT...... 9 3.2 SECURITY MANAGEMENT STAFF ...... 11 3.3 MANAGEMENT PRACTICES ...... 13 3.4 SYSTEM SECURITY PLAN ...... 14 3.5 HUMAN RESOURCES FOR SECURING A WEB SERVER ...... 16 3.6 ALTERNATIVE WEB SERVER PLATFORMS...... 17 4. SECURING THE OPERATING SYSTEM...... 20 4.1 SECURELY INSTALLING AND CONFIGURING AN OPERATING SYSTEM...... 20 4.2 SECURITY TESTING THE OPERATING SYSTEM ...... 24 4.3 RESOURCES FOR OPERATING SYSTEM SPECIFIC SECURITY PROCEDURES ...... 25 4.4 SECURING THE WEB SERVER OPERATING SYSTEM CHECKLIST ...... 25 5. SECURELY INSTALLING AND CONFIGURING THE WEB SERVER...... 27 5.1 SECURELY INSTALLING THE WEB SERVER...... 27 5.2 CONFIGURING ACCESS CONTROLS...... 28 5.3 USING FILE INTEGRITY CHECKERS ...... 34 5.4 SECURELY INSTALLING AND CONFIGURING THE WEB SERVER CHECKLIST ...... 35 6. SECURING WEB CONTENT ...... 37 6.1 PUBLISHING INFORMATION ON PUBLIC WEB SITES...... 37 6.2 REGULATIONS REGARDING THE COLLECTION OF PERSONAL INFORMATION...... 39 6.3 SECURING ACTIVE CONTENT AND CONTENT GENERATION TECHNOLOGIES ...... 40 6.4 SECURING WEB CONTENT CHECKLIST...... 49 7. AUTHENTICATION AND ENCRYPTION TECHNOLOGIES...... 52 7.1 DETERMINING AUTHENTICATION AND ENCRYPTION REQUIREMENTS...... 52 7.2 ADDRESS-BASED AUTHENTICATION...... 52 7.3 BASIC AUTHENTICATION ...... 52 7.4 DIGEST AUTHENTICATION ...... 53 7.5 SSL/TLS...... 53
v Guidelines on Securing Public Web Servers
7.6 WEB AUTHENTICATION AND ENCRYPTION TECHNOLOGIES CHECKLIST ...... 62 8. IMPLEMENTING A SECURE NETWORK FOR A WEB SERVER...... 64 8.1 NETWORK LOCATION ...... 64 8.2 NETWORK ELEMENT CONFIGURATION ...... 69 8.3 NETWORK INFRASTRUCTURE CHECKLIST ...... 76 9. ADMINISTERING A WEB SERVER...... 78 9.1 LOGGING ...... 78 9.2 WEB SERVER BACKUP PROCEDURES...... 82 9.3 RECOVERING FROM A SECURITY COMPROMISE ...... 85 9.4 SECURITY TESTING WEB SERVERS ...... 87 9.5 REMOTELY ADMINISTERING A WEB SERVER...... 90 9.6 SECURELY ADMINISTERING A WEB SERVER CHECKLIST ...... 91 APPENDIX A. SECURING APACHE WEB SERVER...... A-1 A.1 INSTALLATION...... A-1 A.2 INITIAL CONFIGURATION ...... A-4 A.3 PATCHING APACHE...... A-10 A.4 MAINTAINING A SECURE APACHE CONFIGURATION ...... A-10 APPENDIX B. SECURING INTERNET INFORMATION SERVER ...... B-1 B.1 IIS OVERVIEW...... B-2 B.2 IIS OVERVIEW...... B-2 B.3 WHERE TO INSTALL IIS ...... B-4 B.4 CONFIGURING WINDOWS OPERATING SYSTEM...... B-4 B.5 CONFIGURING IIS ...... B-9 B.6 CONFIGURING ACTIVE SERVER PAGES ...... B-17 B.7 PATCHING IIS ...... B-18 B.8 MAINTAINING SECURE IIS CONFIGURATION ...... B-19 B.9 MICROSOFT PATCHING TOOLS...... B-20 B.10 MICROSOFT WINDOWS SECURITY CHECKLIST: ...... B-36 B.11 MICROSOFT INTERNET INFORMATION SERVER SECURITY CHECKLIST...... B-37 APPENDIX C. ONLINE WEB SERVER SECURITY RESOURCES ...... C-1
APPENDIX D. GLOSSARY ...... D-1
APPENDIX E. WEB SECURITY TOOLS AND APPLICATIONS ...... E-1
APPENDIX F. REFERENCES...... F-1
APPENDIX G. PRINT RESOURCES...... G-1
APPENDIX H. WEB SERVER SECURITY CHECKLIST ...... H-1 INSTALLING AND CONFIGURING THE WEB SERVER SECURELY ...... H-2 SECURING WEB CONTENT...... H-3 EMPLOYING WEB AUTHENTICATION AND ENCRYPTION TECHNOLOGIES ...... H-5
vi Guidelines on Securing Public Web Servers
EMPLOYING NETWORK INFRASTRUCTURE TO SECURE WEB SERVERS ...... H-6 SECURELY ADMINISTERING A WEB SERVER ...... H-7 SECURING APACHE ...... H-9 SECURING MICROSOFT INTERNET INFORMATION SERVER...... H-10 APPENDIX I. ACRONYM LIST...... I-1
INDEX...... INDX-1
vii Guidelines on Securing Public Web Servers
List of Figures
Figure 6.1: Relative Risk of Common Client Side Active Content...... 43
Figure 7.1: SSL/TLS Location within the Internet Protocol Stack...... 54
Figure 7.2: Sample CSR...... 59
Figure 7.3: Sample Encoded SSL/TLS Certificate...... 60
Figure 8.1: Basic DMZ ...... 65
Figure 8.2: Two Firewall DMZ...... 66
Figure 8.3: Three Interface Firewall DMZ...... 66
Figure 8.4: Outsourced Web Server Hosting ...... 68
viii Guidelines on Securing Public Web Servers
Executive Summary
The World Wide Web (WWW) is a system for exchanging information over the Internet. At the most basic level, the Web can be divided into two principal components: Web servers, which are applications that make information available over the Internet (in essence publish information) and Web browsers (clients), which are used to access and display the information stored on the Web servers. This document focuses on the security issues of Web servers.1
Unfortunately, the Web server is the most targeted and attacked host on most organizations’ network. As a result, it is essential to secure Web servers and the network infrastructure that supports them. The specific security threats to Web servers generally fall into one of the following categories: