NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
3. Planning and Managing <strong>Web</strong> <strong>Servers</strong><br />
The most critical aspect of deploying a secure <strong>Web</strong> server is careful planning prior to installati<strong>on</strong>,<br />
c<strong>on</strong>figurati<strong>on</strong>, and deployment. Careful planning will ensure that the <strong>Web</strong> server is as secure as possible<br />
and in compliance with all relevant organizati<strong>on</strong>al policies. Many <strong>Web</strong> server security and performance<br />
problems can be traced to a lack of planning or management c<strong>on</strong>trols. The importance of management<br />
c<strong>on</strong>trols cannot be overstated. In many organizati<strong>on</strong>s, the IT support structure is highly fragmented. This<br />
fragmentati<strong>on</strong> leads to inc<strong>on</strong>sistencies, and these inc<strong>on</strong>sistencies can lead to security vulnerabilities and<br />
other issues.<br />
3.1 Installati<strong>on</strong> and Deployment Planning<br />
Security should be c<strong>on</strong>sidered from the initial planning stage at the beginning of the systems development<br />
life cycle to maximize security and minimize costs. It is much more difficult and expensive to address<br />
security after deployment and implementati<strong>on</strong>. Organizati<strong>on</strong>s are more likely to make decisi<strong>on</strong>s about<br />
c<strong>on</strong>figuring hosts appropriately and c<strong>on</strong>sistently if they begin by developing and using a detailed, welldesigned<br />
deployment plan. Developing such a plan enables organizati<strong>on</strong>s to make informed tradeoff<br />
decisi<strong>on</strong>s between usability and performance, and risk. A deployment plan allows organizati<strong>on</strong>s to<br />
maintain secure c<strong>on</strong>figurati<strong>on</strong>s and aids in identifying security vulnerabilities, which often manifest<br />
themselves as deviati<strong>on</strong>s from the plan.<br />
In the planning stages of a <strong>Web</strong> server, the following items should be c<strong>on</strong>sidered [Alle00]:<br />
Identify the purpose(s) of the <strong>Web</strong> server.<br />
• What informati<strong>on</strong> categories will be stored <strong>on</strong> the <strong>Web</strong> server?<br />
• What informati<strong>on</strong> categories will be processed <strong>on</strong> or transmitted through the <strong>Web</strong> server?<br />
• What are the security requirements for this informati<strong>on</strong>?<br />
• Will any informati<strong>on</strong> be retrieved from or stored <strong>on</strong> another host (e.g., back-end database, mail<br />
server)?<br />
• What are the security requirements for any other hosts involved (e.g., back-end database,<br />
directory server, mail server, proxy server)?<br />
• What other service(s) will be provided by the <strong>Web</strong> server (in general, dedicating the host to being<br />
<strong>on</strong>ly a <strong>Web</strong> server is the most secure opti<strong>on</strong>)?<br />
• What are the security requirements for these additi<strong>on</strong>al services?<br />
• What are the requirements for c<strong>on</strong>tinuity of services provided by <strong>Web</strong> servers, such as those<br />
specified in c<strong>on</strong>tinuity of operati<strong>on</strong>s plans and disaster recovery plans?<br />
• Where <strong>on</strong> the network will the <strong>Web</strong> server be located (see Secti<strong>on</strong> 8)?<br />
Identify the network services that will be provided <strong>on</strong> the <strong>Web</strong> server, such as those supplied through<br />
the following protocols:<br />
• HTTP<br />
3-1