NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS Acknowledgements, <strong>Version</strong> 2 The authors, Wayne Jansen and Karen Scarfone of <strong>NIST</strong>, Miles Tracy of Federal Reserve Information Technology, and Theodore Winograd of Booz Allen Hamilton, wish to express their thanks to colleagues who reviewed drafts of this document. In particular, their appreciation goes to Tim Grance, Bill Burr, Patrick O’Reilly, Ray Perlner, and Murugiah Souppaya from <strong>NIST</strong>, and Jason Butterfield, Kwok Cheng, and Jonathan Holleran of Booz Allen Hamilton, for their research, technical support, and written contributions to this document. The authors also appreciate the efforts of those individuals, agencies, and other organizations that contributed input during the public comment period. Acknowledgements, Original <strong>Version</strong> The authors, Wayne Jansen from <strong>NIST</strong> and Miles Tracy and Mark McLarnon from Booz Allen Hamilton, wish to express their thanks to colleagues at both organizations who reviewed drafts of this document. In particular, their appreciation goes to John Wack, Murugiah Souppaya, and Tim Grance from <strong>NIST</strong>, and Steve Allison, Scott Bisker, Alexis Feringa, Kevin Kuhlkin, and Jonathan Holleran of Booz Allen Hamilton for their research, technical support, and written contributions to this document. The authors would also like to express their thanks to all those who contributed input during the public comment period and who assisted with our internal review process. iii
GUIDELINES ON SECURING PUBLIC WEB SERVERS Table of Contents Executive Summary..............................................................................................................ES-1 1. Introduction ......................................................................................................................1-1 1.1 Authority...................................................................................................................1-1 1.2 Purpose and Scope .................................................................................................1-1 1.3 Audience and Assumptions .....................................................................................1-2 1.4 Document Structure .................................................................................................1-2 2. Background ......................................................................................................................2-1 3. Planning and Managing Web Servers ............................................................................3-1 3.1 Installation and Deployment Planning......................................................................3-1 3.2 Security Management Staff......................................................................................3-3 3.2.1 Senior IT Management/Chief Information Officer .........................................3-4 3.2.2 Information Systems Security Program Managers .......................................3-4 3.2.3 Information Systems Security Officers .........................................................3-4 3.2.4 Web Server and Network Administrators .....................................................3-5 3.2.5 Web Application Developers ........................................................................3-5 3.3 Management Practices ............................................................................................3-6 3.4 System Security Plan...............................................................................................3-7 3.5 Human Resources Requirements............................................................................3-8 3.6 Alternative Web Server Platforms............................................................................3-9 3.6.1 Trusted Operating Systems..........................................................................3-9 3.6.2 Web Server Appliances ..............................................................................3-10 3.6.3 Pre-Hardened Operating Systems and Web Servers.................................3-11 3.6.4 Virtualized Platforms...................................................................................3-12 3.7 Checklist for Planning and Managing Web Servers...............................................3-13 4. Securing the Web Server Operating System.................................................................4-1 4.1 Installing and Configuring the Operating System.....................................................4-1 4.1.1 Patch and Upgrade Operating System.........................................................4-1 4.1.2 Remove or Disable Unnecessary Services and Applications.......................4-2 4.1.3 Configure Operating System User Authentication........................................4-4 4.1.4 Configure Resource Controls Appropriately .................................................4-6 4.1.5 Install and Configure Additional Security Controls .......................................4-6 4.2 Security Testing the Operating System ...................................................................4-7 4.3 Checklist for Securing the Web Server Operating System ......................................4-7 5. Securing the Web Server.................................................................................................5-1 5.1 Securely Installing the Web Server..........................................................................5-1 5.2 Configuring Access Controls....................................................................................5-2 5.2.1 Configuring the Permissions of the Web Server Application ........................5-3 5.2.2 Configuring Secure Web Content Directory .................................................5-4 5.2.3 Uniform Resource Identifiers and Cookies ...................................................5-5 5.2.4 Controlling Impact of Web “Bots” on Web Servers.......................................5-6 5.3 Checklist for Securing the Web Server ....................................................................5-9 iv
Page 1 and 2: Special Publication 800</st
Page 3: GUIDELINES ON SECURING PUBLIC WEB S
Page 7 and 8: GUIDELINES ON SECURING PUBLIC WEB S
Page 55 and 56:
GUIDELINES ON SECURING PUBLIC WEB S
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?