NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Some <strong>Web</strong> server administrators also install <strong>on</strong>e or more forms of host-based intrusi<strong>on</strong> detecti<strong>on</strong> or<br />
intrusi<strong>on</strong> preventi<strong>on</strong> software <strong>on</strong> their servers. For example, file integrity checking software can identify<br />
changes to critical system files.<br />
When planning security c<strong>on</strong>trols, <strong>Web</strong> server administrators should c<strong>on</strong>sider the resources that the<br />
security c<strong>on</strong>trols will c<strong>on</strong>sume. A server’s performance could degrade if it does not have enough memory<br />
and processing capacity for the c<strong>on</strong>trols.<br />
4.2 Security Testing the Operating System<br />
Periodic security testing of the OS is a vital way to identify vulnerabilities and to ensure that the existing<br />
security precauti<strong>on</strong>s are effective. Comm<strong>on</strong> methods for testing OSs include vulnerability scanning and<br />
penetrati<strong>on</strong> testing. Vulnerability scanning usually entails using an automated vulnerability scanner to<br />
scan a host or group of hosts <strong>on</strong> a network for applicati<strong>on</strong>, network, and OS vulnerabilities. Penetrati<strong>on</strong><br />
testing is a testing process designed to compromise a network using the tools and methodologies of an<br />
attacker. It involves iteratively identifying and exploiting the weakest areas of the network to gain access<br />
to the remainder of the network, eventually compromising the overall security of the network.<br />
Vulnerability scanning should be c<strong>on</strong>ducted periodically, at least weekly to m<strong>on</strong>thly, and penetrati<strong>on</strong><br />
testing should be c<strong>on</strong>ducted at least annually. Because both of these testing techniques are also applicable<br />
to testing the <strong>Web</strong> server applicati<strong>on</strong>, they are discussed in detail in Secti<strong>on</strong> 9.4. 23<br />
Testing generally should not be performed <strong>on</strong> the producti<strong>on</strong> <strong>Web</strong> server itself. As menti<strong>on</strong>ed in Secti<strong>on</strong><br />
4.1.1, testing for patches and changes to the system should be performed <strong>on</strong> a separate system; this same<br />
testing envir<strong>on</strong>ment should be used to perform security testing of the <strong>Web</strong> server.<br />
4.3 Checklist for <strong>Securing</strong> the <strong>Web</strong> Server Operating System<br />
Completed<br />
Acti<strong>on</strong><br />
Patch and upgrade OS<br />
Create, document, and implement a patching process<br />
Keep the servers disc<strong>on</strong>nected from networks or <strong>on</strong> an isolated network that<br />
severely restricts communicati<strong>on</strong>s until all patches have been installed<br />
Identify and install all necessary patches and upgrades to the OS<br />
Identify and install all necessary patches and upgrades to applicati<strong>on</strong>s and<br />
services included with the OS<br />
Identify and mitigate any unpatched vulnerabilities<br />
Remove or disable unnecessary services and applicati<strong>on</strong>s<br />
Disable or remove unnecessary services and applicati<strong>on</strong>s<br />
C<strong>on</strong>figure OS user authenticati<strong>on</strong><br />
Remove or disable unneeded default accounts and groups<br />
Disable n<strong>on</strong>-interactive accounts<br />
Create the user groups for the particular computer<br />
Create the user accounts for the particular computer<br />
Check the organizati<strong>on</strong>’s password policy and set account passwords<br />
appropriately (e.g., length, complexity)<br />
23<br />
For informati<strong>on</strong> <strong>on</strong> other testing techniques, see <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-42, Guideline <strong>on</strong> Network Security Testing<br />
(http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
4-7