NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Appendix E—<strong>Web</strong> Server Security Checklist<br />
This secti<strong>on</strong> provides a combined versi<strong>on</strong> of the individual security checklists provided at the end of<br />
many secti<strong>on</strong>s in this document.<br />
Planning and Managing <strong>Web</strong> <strong>Servers</strong><br />
Completed<br />
Acti<strong>on</strong><br />
Plan the c<strong>on</strong>figurati<strong>on</strong> and deployment of the <strong>Web</strong> server<br />
Identify functi<strong>on</strong>s of the <strong>Web</strong> server<br />
Identify categories of informati<strong>on</strong> that will be stored, processed, and transmitted<br />
through the <strong>Web</strong> server<br />
Identify security requirements of informati<strong>on</strong><br />
Identify how informati<strong>on</strong> is published to the <strong>Web</strong> server<br />
Identify the security requirements of other hosts involved (e.g., backend database or<br />
<strong>Web</strong> service)<br />
Identify a dedicated host to run the <strong>Web</strong> server<br />
Identify network services that will be provided or supported by the <strong>Web</strong> server<br />
Identify the security requirements of any additi<strong>on</strong>al services provided or supported by<br />
the <strong>Web</strong> server<br />
Identify how the <strong>Web</strong> server will be managed<br />
Identify users and categories of users of the <strong>Web</strong> server and determine privilege for<br />
each category of user<br />
Identify user authenticati<strong>on</strong> methods for the <strong>Web</strong> server and how authenticati<strong>on</strong> data<br />
will be protected<br />
Identify how access to informati<strong>on</strong> resources will be enforced<br />
Identify appropriate physical security mechanisms<br />
Identify appropriate availability mechanisms<br />
Choose appropriate OS for <strong>Web</strong> server<br />
Minimal exposure to vulnerabilities<br />
Ability to restrict administrative or root level activities to authorized users <strong>on</strong>ly<br />
Ability to c<strong>on</strong>trol access to data <strong>on</strong> the server<br />
Ability to disable unnecessary network services that may be built into the OS or server<br />
software<br />
Ability to c<strong>on</strong>trol access to various forms of executable programs, such as CGI scripts<br />
and server plug-ins<br />
Ability to log appropriate server activities to detect intrusi<strong>on</strong>s and attempted intrusi<strong>on</strong>s<br />
Provisi<strong>on</strong> of a host-based firewall capability<br />
Availability of experienced staff to install, c<strong>on</strong>figure, secure, and maintain OS<br />
Choose appropriate platform for <strong>Web</strong> server<br />
General purpose OS<br />
Trusted OS<br />
<strong>Web</strong> server appliance<br />
Pre-hardened OS and <strong>Web</strong> server<br />
Virtualized platform<br />
E-1