NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
• Assets of the organizati<strong>on</strong><br />
• C<strong>on</strong>figurati<strong>on</strong> of the server or network that could be exploited for subsequent attacks<br />
• Informati<strong>on</strong> regarding the users or administrator(s) of the <strong>Web</strong> server, including their passwords.<br />
Vulnerabilities within the <strong>Web</strong> server that might allow, for example, attackers to compromise the<br />
security of the server and other hosts <strong>on</strong> the organizati<strong>on</strong>’s network by taking acti<strong>on</strong>s such as the<br />
following:<br />
• Defacing the <strong>Web</strong> site or otherwise affect informati<strong>on</strong> integrity<br />
• Executing unauthorized commands or programs <strong>on</strong> the host operating system, including <strong>on</strong>es that<br />
the intruder has installed<br />
• Gaining unauthorized access to resources elsewhere in the organizati<strong>on</strong>’s computer network<br />
• Launching attacks <strong>on</strong> external sites from the <strong>Web</strong> server, thus c<strong>on</strong>cealing the intruders’ identities,<br />
and perhaps making the organizati<strong>on</strong> liable for damages<br />
• Using the server as a distributi<strong>on</strong> point for illegally copied software, attack tools, or pornography,<br />
perhaps making the organizati<strong>on</strong> liable for damages<br />
• Using the server to deliver attacks against vulnerable <strong>Web</strong> clients to compromise them.<br />
Inadequate or unavailable defense mechanisms for the <strong>Web</strong> server to prevent certain classes of<br />
attacks, such as DoS attacks, which disrupt the availability of the <strong>Web</strong> server and prevent authorized<br />
users from accessing the <strong>Web</strong> site when required.<br />
In recent years, as the security of networks and server installati<strong>on</strong>s have improved, poorly written<br />
software applicati<strong>on</strong>s and scripts that allow attackers to compromise the security of the <strong>Web</strong> server or<br />
collect data from backend databases have become the targets of attacks. Many dynamic <strong>Web</strong> applicati<strong>on</strong>s<br />
do not perform sufficient validati<strong>on</strong> of user input, allowing attackers to submit commands that are run <strong>on</strong><br />
the server. Comm<strong>on</strong> examples of this form of attack are structured query language (SQL) injecti<strong>on</strong>,<br />
where an attacker submits input that will be passed to a database and processed, and cross-site scripting,<br />
where an attacker manipulates the applicati<strong>on</strong> to store scripting language commands that are activated<br />
when another user accesses the <strong>Web</strong> page.<br />
A number of steps are required to ensure the security of any public <strong>Web</strong> server. As a prerequisite for<br />
taking any step, however, it is essential that the organizati<strong>on</strong> have a security policy in place. Taking the<br />
following steps within the c<strong>on</strong>text of the organizati<strong>on</strong>’s security policy should prove effective:<br />
Step 1: Installing, c<strong>on</strong>figuring, and securing the underlying operating system (OS)<br />
Step 2: Installing, c<strong>on</strong>figuring, and securing <strong>Web</strong> server software<br />
Step 3: Employing appropriate network protecti<strong>on</strong> mechanisms (e.g., firewall, packet filtering router,<br />
and proxy)<br />
Step 4: Ensuring that any applicati<strong>on</strong>s developed specifically for the <strong>Web</strong> server are coded following<br />
secure programming practices<br />
2-2