NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Ability to c<strong>on</strong>trol access to data <strong>on</strong> the server<br />
Ability to disable unnecessary network services that may be built into the OS or server software<br />
Ability to c<strong>on</strong>trol access to various forms of executable programs, such as Comm<strong>on</strong> Gateway<br />
Interface (CGI) scripts and server plug-ins in the case of <strong>Web</strong> servers<br />
Ability to log appropriate server activities to detect intrusi<strong>on</strong>s and attempted intrusi<strong>on</strong>s<br />
Provisi<strong>on</strong> of a host-based firewall capability.<br />
In additi<strong>on</strong>, organizati<strong>on</strong>s should c<strong>on</strong>sider the availability of trained, experienced staff to administer the<br />
server and server products. Many organizati<strong>on</strong>s have learned the difficult less<strong>on</strong> that a capable and<br />
experienced administrator for <strong>on</strong>e type of operating envir<strong>on</strong>ment is not automatically as effective for<br />
another.<br />
Although many <strong>Web</strong> servers do not host sensitive informati<strong>on</strong>, most <strong>Web</strong> servers should be c<strong>on</strong>sidered<br />
sensitive because of the damage to the organizati<strong>on</strong>’s reputati<strong>on</strong> that could occur if the servers’ integrity<br />
is compromised. In such cases, it is critical that the <strong>Web</strong> servers are located in areas that provide secure<br />
physical envir<strong>on</strong>ments. When planning the locati<strong>on</strong> of a <strong>Web</strong> server, the following issues should be<br />
c<strong>on</strong>sidered:<br />
Are the appropriate physical security protecti<strong>on</strong> mechanisms in place? Examples include—<br />
• Locks<br />
• Card reader access<br />
• Security guards<br />
• Physical IDSs (e.g., moti<strong>on</strong> sensors, cameras).<br />
Are there appropriate envir<strong>on</strong>mental c<strong>on</strong>trols so that the necessary humidity and temperature are<br />
maintained?<br />
Is there a backup power source? For how l<strong>on</strong>g will it provide power?<br />
If high availability is required, are there redundant Internet c<strong>on</strong>necti<strong>on</strong>s from at least two different<br />
Internet service providers (ISP)?<br />
If the locati<strong>on</strong> is subject to known natural disasters, is it hardened against those disasters and/or is<br />
there a c<strong>on</strong>tingency site outside the potential disaster area?<br />
3.2 Security Management Staff<br />
Because <strong>Web</strong> server security is tightly intertwined with the organizati<strong>on</strong>’s general informati<strong>on</strong> system<br />
security posture, a number of IT and system security staff may be interested in <strong>Web</strong> server planning,<br />
implementati<strong>on</strong>, and administrati<strong>on</strong>. This secti<strong>on</strong> provides a list of generic roles and identifies their<br />
resp<strong>on</strong>sibilities as they relate to <strong>Web</strong> server security. These roles are for the purpose of discussi<strong>on</strong> and<br />
may vary by organizati<strong>on</strong>.<br />
3-3