NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Table of C<strong>on</strong>tents<br />
Executive Summary..............................................................................................................ES-1<br />
1. Introducti<strong>on</strong> ......................................................................................................................1-1<br />
1.1 Authority...................................................................................................................1-1<br />
1.2 Purpose and Scope .................................................................................................1-1<br />
1.3 Audience and Assumpti<strong>on</strong>s .....................................................................................1-2<br />
1.4 Document Structure .................................................................................................1-2<br />
2. Background ......................................................................................................................2-1<br />
3. Planning and Managing <strong>Web</strong> <strong>Servers</strong> ............................................................................3-1<br />
3.1 Installati<strong>on</strong> and Deployment Planning......................................................................3-1<br />
3.2 Security Management Staff......................................................................................3-3<br />
3.2.1 Senior IT Management/Chief Informati<strong>on</strong> Officer .........................................3-4<br />
3.2.2 Informati<strong>on</strong> Systems Security Program Managers .......................................3-4<br />
3.2.3 Informati<strong>on</strong> Systems Security Officers .........................................................3-4<br />
3.2.4 <strong>Web</strong> Server and Network Administrators .....................................................3-5<br />
3.2.5 <strong>Web</strong> Applicati<strong>on</strong> Developers ........................................................................3-5<br />
3.3 Management Practices ............................................................................................3-6<br />
3.4 System Security Plan...............................................................................................3-7<br />
3.5 Human Resources Requirements............................................................................3-8<br />
3.6 Alternative <strong>Web</strong> Server Platforms............................................................................3-9<br />
3.6.1 Trusted Operating Systems..........................................................................3-9<br />
3.6.2 <strong>Web</strong> Server Appliances ..............................................................................3-10<br />
3.6.3 Pre-Hardened Operating Systems and <strong>Web</strong> <strong>Servers</strong>.................................3-11<br />
3.6.4 Virtualized Platforms...................................................................................3-12<br />
3.7 Checklist for Planning and Managing <strong>Web</strong> <strong>Servers</strong>...............................................3-13<br />
4. <strong>Securing</strong> the <strong>Web</strong> Server Operating System.................................................................4-1<br />
4.1 Installing and C<strong>on</strong>figuring the Operating System.....................................................4-1<br />
4.1.1 Patch and Upgrade Operating System.........................................................4-1<br />
4.1.2 Remove or Disable Unnecessary Services and Applicati<strong>on</strong>s.......................4-2<br />
4.1.3 C<strong>on</strong>figure Operating System User Authenticati<strong>on</strong>........................................4-4<br />
4.1.4 C<strong>on</strong>figure Resource C<strong>on</strong>trols Appropriately .................................................4-6<br />
4.1.5 Install and C<strong>on</strong>figure Additi<strong>on</strong>al Security C<strong>on</strong>trols .......................................4-6<br />
4.2 Security Testing the Operating System ...................................................................4-7<br />
4.3 Checklist for <strong>Securing</strong> the <strong>Web</strong> Server Operating System ......................................4-7<br />
5. <strong>Securing</strong> the <strong>Web</strong> Server.................................................................................................5-1<br />
5.1 Securely Installing the <strong>Web</strong> Server..........................................................................5-1<br />
5.2 C<strong>on</strong>figuring Access C<strong>on</strong>trols....................................................................................5-2<br />
5.2.1 C<strong>on</strong>figuring the Permissi<strong>on</strong>s of the <strong>Web</strong> Server Applicati<strong>on</strong> ........................5-3<br />
5.2.2 C<strong>on</strong>figuring Secure <strong>Web</strong> C<strong>on</strong>tent Directory .................................................5-4<br />
5.2.3 Uniform Resource Identifiers and Cookies ...................................................5-5<br />
5.2.4 C<strong>on</strong>trolling Impact of <strong>Web</strong> “Bots” <strong>on</strong> <strong>Web</strong> <strong>Servers</strong>.......................................5-6<br />
5.3 Checklist for <strong>Securing</strong> the <strong>Web</strong> Server ....................................................................5-9<br />
iv