NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
1. Introducti<strong>on</strong><br />
1.1 Authority<br />
The Nati<strong>on</strong>al Institute of Standards and Technology (<str<strong>on</strong>g>NIST</str<strong>on</strong>g>) developed this document in furtherance of its<br />
statutory resp<strong>on</strong>sibilities under the Federal Informati<strong>on</strong> Security Management Act (FISMA) of 2002,<br />
<strong>Public</strong> Law 107-347.<br />
<str<strong>on</strong>g>NIST</str<strong>on</strong>g> is resp<strong>on</strong>sible for developing standards and guidelines, including minimum requirements, for<br />
providing adequate informati<strong>on</strong> security for all agency operati<strong>on</strong>s and assets; but such standards and<br />
guidelines shall not apply to nati<strong>on</strong>al security systems. This guideline is c<strong>on</strong>sistent with the requirements<br />
of the Office of Management and Budget (OMB) Circular A-130, Secti<strong>on</strong> 8b(3), “<strong>Securing</strong> Agency<br />
Informati<strong>on</strong> Systems,” as analyzed in A-130, Appendix IV: Analysis of Key Secti<strong>on</strong>s. Supplemental<br />
informati<strong>on</strong> is provided in A-130, Appendix III.<br />
This guideline has been prepared for use by Federal agencies. It may be used by n<strong>on</strong>governmental<br />
organizati<strong>on</strong>s <strong>on</strong> a voluntary basis and is not subject to copyright, although attributi<strong>on</strong> is desired.<br />
Nothing in this document should be taken to c<strong>on</strong>tradict standards and guidelines made mandatory and<br />
binding <strong>on</strong> Federal agencies by the Secretary of Commerce under statutory authority, nor should these<br />
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,<br />
the Director of the OMB, or any other Federal official.<br />
1.2 Purpose and Scope<br />
The purpose of the <str<strong>on</strong>g>Guidelines</str<strong>on</strong>g> <strong>on</strong> <strong>Securing</strong> <strong>Public</strong> <strong>Web</strong> <strong>Servers</strong> is to recommend security practices for<br />
designing, implementing, and operating publicly accessible <strong>Web</strong> servers, including related network<br />
infrastructure issues. Some Federal organizati<strong>on</strong>s might need to go bey<strong>on</strong>d these recommendati<strong>on</strong>s or<br />
adapt them in other ways to meet their unique requirements. While intended as recommendati<strong>on</strong>s for<br />
Federal departments and agencies, it may be used in the private sector <strong>on</strong> a voluntary basis.<br />
This document may be used by organizati<strong>on</strong>s interested in enhancing security <strong>on</strong> existing and future <strong>Web</strong><br />
server systems to reduce the number and frequency of <strong>Web</strong>-related security incidents. This document<br />
presents generic principles that apply to all systems.<br />
This guideline does not cover the following aspects relating to securing a <strong>Web</strong> server:<br />
<strong>Securing</strong> other types of network servers<br />
Firewalls and routers used to protect <strong>Web</strong> servers bey<strong>on</strong>d a basic discussi<strong>on</strong> in Secti<strong>on</strong> 8<br />
Security c<strong>on</strong>siderati<strong>on</strong>s related to <strong>Web</strong> client (browser) software 4<br />
Special c<strong>on</strong>siderati<strong>on</strong>s for high-traffic <strong>Web</strong> sites with multiple hosts 5<br />
<strong>Securing</strong> back-end servers that may support the <strong>Web</strong> server (e.g., database servers, file servers)<br />
4<br />
5<br />
For more informati<strong>on</strong> <strong>on</strong> securing <strong>Web</strong> browsers, see <str<strong>on</strong>g>NIST</str<strong>on</strong>g> Special <strong>Public</strong>ati<strong>on</strong> (SP) <str<strong>on</strong>g>800</str<strong>on</strong>g>-46, Security for Telecommuting<br />
and Broadband Communicati<strong>on</strong>s (http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
Although this document does not address the specific security c<strong>on</strong>cerns that arise from high-traffic multiple-server <strong>Web</strong><br />
farms, much of what is covered will apply to these types of installati<strong>on</strong>s.<br />
1-1