NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS Appendix E—Web Server Security Checklist This section provides a combined version of the individual security checklists provided at the end of many sections in this document. Planning and Managing Web Servers Completed Action Plan the configuration and deployment of the Web server Identify functions of the Web server Identify categories of information that will be stored, processed, and transmitted through the Web server Identify security requirements of information Identify how information is published to the Web server Identify the security requirements of other hosts involved (e.g., backend database or Web service) Identify a dedicated host to run the Web server Identify network services that will be provided or supported by the Web server Identify the security requirements of any additional services provided or supported by the Web server Identify how the Web server will be managed Identify users and categories of users of the Web server and determine privilege for each category of user Identify user authentication methods for the Web server and how authentication data will be protected Identify how access to information resources will be enforced Identify appropriate physical security mechanisms Identify appropriate availability mechanisms Choose appropriate OS for Web server Minimal exposure to vulnerabilities Ability to restrict administrative or root level activities to authorized users only Ability to control access to data on the server Ability to disable unnecessary network services that may be built into the OS or server software Ability to control access to various forms of executable programs, such as CGI scripts and server plug-ins Ability to log appropriate server activities to detect intrusions and attempted intrusions Provision of a host-based firewall capability Availability of experienced staff to install, configure, secure, and maintain OS Choose appropriate platform for Web server General purpose OS Trusted OS Web server appliance Pre-hardened OS and Web server Virtualized platform E-1
GUIDELINES ON SECURING PUBLIC WEB SERVERS Securing the Web Server Operating System Completed Patch and upgrade OS Action Create, document, and implement a patching process Keep the servers disconnected from networks or on an isolated network that severely restricts communications until all patches have been installed Identify and install all necessary patches and upgrades to the OS Identify and install all necessary patches and upgrades to applications and services included with the OS Identify and mitigate any unpatched vulnerabilities Remove or disable unnecessary services and applications Disable or remove unnecessary services and applications Configure OS user authentication Remove or disable unneeded default accounts and groups Disable non-interactive accounts Create the user groups for the particular computer Create the user accounts for the particular computer Check the organization’s password policy and set account passwords appropriately (e.g., length, complexity) Prevent password guessing (e.g., increase the period between attempts, deny login after a defined number of failed attempts) Install and configure other security mechanisms to strengthen authentication Configure resource controls appropriately Deny read access to unnecessary files and directories Deny write access to unnecessary files and directories Limit the execution privilege of system tools to system administrators Install and configure additional security controls Select, install, and configure additional software to provide needed controls not included in the OS, such as antivirus software, antispyware software, rootkit detectors, host-based intrusion detection and prevention software, host-based firewalls, and patch management software Test the security of the OS Identify a separate identical system Test OS after initial install to determine vulnerabilities Test OS periodically (e.g., quarterly) to determine new vulnerabilities Securing the Web Server Completed Securely install the Web server Action Install the Web server software on a dedicated host or a dedicated virtualized guest OS Apply any patches or upgrades to correct for known vulnerabilities Create a dedicated physical disk or logical partition (separate from OS and Web server application) for Web content E-2
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78: GUIDELINES ON SECURING PUBLIC WEB S
Page 127: GUIDELINES ON SECURING PUBLIC WEB S
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?