NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Create and store a backup copy of the encrypti<strong>on</strong> keys <strong>on</strong> read-<strong>on</strong>ly media in case the keys are deleted<br />
accidentally. If the keys are lost and cannot be recovered from backup media, a new key pair and<br />
certificate must be created. Note that the backup copy of the keys must be physically secured and<br />
should be encrypted as well.<br />
Store the original certificate in a folder or partiti<strong>on</strong> accessible by <strong>on</strong>ly <strong>Web</strong> or system administrators<br />
and secured by appropriate authenticati<strong>on</strong> mechanisms.<br />
C<strong>on</strong>sider running a file integrity checker in the <strong>Web</strong> server (see Secti<strong>on</strong> 8.2.2) and ensure that it is<br />
m<strong>on</strong>itoring for any changes to the certificate.<br />
Examine system logs regularly to validate and ensure preventi<strong>on</strong> of unauthorized system access.<br />
If a malicious user gains unauthorized access to a <strong>Web</strong> server, the integrity of the entire server is lost<br />
immediately <strong>on</strong>ce the encrypti<strong>on</strong> key pair is modified. Once a key in an SSL/TLS certificate is<br />
compromised, it can remain compromised; for example, some CAs do not issue revocati<strong>on</strong> informati<strong>on</strong>,<br />
and many client implementati<strong>on</strong>s do not obtain or process revocati<strong>on</strong> informati<strong>on</strong>.<br />
Once a certificate is ready, it needs to be installed, and SSL needs to be enabled and c<strong>on</strong>figured. Some<br />
steps are comm<strong>on</strong> to all <strong>Web</strong> servers:<br />
Disable SSL 1.0 and SSL 2.0.<br />
C<strong>on</strong>figure SSL/TLS to restrict cryptographic algorithms to the selected cipher suite(s) (see Secti<strong>on</strong><br />
7.5.4).<br />
Indicate the locati<strong>on</strong> of the SSL/TLS certificate and instruct the server to start using SSL/TLS. In<br />
certain cases, the <strong>Web</strong> server must be instructed to begin using SSL/TLS, and even given the locati<strong>on</strong><br />
of the SSL/TLS certificate and private keys if they were stored as files <strong>on</strong> the hard drive.<br />
Instruct server to listen <strong>on</strong> TCP port <str<strong>on</strong>g>44</str<strong>on</strong>g>3. This is the default TCP port from which SSL/TLS<br />
resources are accessed by clients (other ports can be used). In most cases, if the server was not<br />
previously using SSL/TLS, this port would be disabled for security reas<strong>on</strong>s. It will probably be<br />
necessary to c<strong>on</strong>figure the network infrastructure supporting the <strong>Web</strong> server to allow SSL/TLS traffic<br />
(see Secti<strong>on</strong> 8.2). All ports other than TCP <str<strong>on</strong>g>44</str<strong>on</strong>g>3 should be closed and the network infrastructure (e.g.,<br />
firewalls) should be updated to block attempts to c<strong>on</strong>nect to all other ports. However, if the <strong>Web</strong><br />
server is to host both HTTP and HTTPS c<strong>on</strong>tent, TCP 80 should be open as well.<br />
C<strong>on</strong>figure the server to protect the necessary resources (directories and/or files) using SSL/TLS.<br />
C<strong>on</strong>figure the <strong>Web</strong> server applicati<strong>on</strong> so that the appropriate resources are protected with SSL/TLS.<br />
These resources are then accessible <strong>on</strong>ly from a URL that starts with “https://”.<br />
Newer versi<strong>on</strong>s of the HTML standard have been amended to include a resp<strong>on</strong>se to inform clients when a<br />
file they have requested is available <strong>on</strong>ly via SSL/TLS. The HTTP status code 403.4 indicates that a<br />
HTTP GET request must be prefixed with an https:// because the resource requested is protected with<br />
SSL/TLS. For more informati<strong>on</strong>, c<strong>on</strong>sult RFCs 2246, 2626, and 2817. 60 Most current <strong>Web</strong> browsers also<br />
provide users with some user-friendly visual indicati<strong>on</strong> of a server’s SSL/TLS certificate status, such as<br />
changing the color of a status bar.<br />
60<br />
http://www.ietf.org/rfc/rfc2246.txt, http://www.ietf.org/rfc/rfc2626.txt and http://www.ietf.org/rfc/rfc2817.txt<br />
7-11