Secure Web Servers Protecting Web Sites That Are Accessed By ...
Upcoming SlideShare
Loading in...5
×
 

Secure Web Servers Protecting Web Sites That Are Accessed By ...

on

  • 568 views

 

Statistics

Views

Total Views
568
Views on SlideShare
568
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure Web Servers Protecting Web Sites That Are Accessed By ... Secure Web Servers Protecting Web Sites That Are Accessed By ... Document Transcript

  • January 2008 ADVISING USERS ON INFORMATION TECHNOLOGY Bulletin SECURE WEB SERVERS: More Information section at the end of the ITL Bulletins are published by the Information PROTECTING WEB SITES bulletin for references to other Technology Laboratory (ITL) of the National publications that deal with the security of Institute of Standards and Technology (NIST). THAT ARE ACCESSED BY Each bulletin presents an in-depth discussion THE PUBLIC both Web servers and browsers, and with the basic processes for planning, of a single topic of significant interest to the implementing, and operating secure information systems community. Bulletins are Shirley Radack, Editor issued on an as-needed basis and are Computer Security Division systems. available from ITL Publications, National Information Technology Laboratory Institute of Standards and Technology, 100 National Institute of Standards and NIST Special Publication (SP) 800- 44, Version 2, Guidelines on Bureau Drive, Stop 8900, Gaithersburg, MD Technology 20899-8900, telephone (301) 975-2832. To be Securing Public Web Servers: Recommendations of the National placed on a mailing list to receive future Many organizations rely upon the World bulletins, send your name, organization, and Wide Web (Web) to publish information, Institute of Standards and Technology business address to this office. You will be to exchange information with Internet placed on this mailing list only. users, and to conduct electronic transactions with their customers and their NIST SP 800-44, Version 2, Guidelines on Securing Public Web Servers, details the Bulletins issued since December 2006: suppliers. The Web’s system of interlinked Maintaining Effective Information Technology text, images, videos, and other information steps that organizations should take to (IT) Security Through Test, Training, and makes vast amounts of information plan, install, and maintain secure Web Exercise Programs, December 2006 available to organizations and individuals. server software and their underlying Security Controls for Information Systems: With the many advances in computer operating systems. The authors of NIST Revised Guidelines Issued by NIST, January efficiency, programming techniques, and SP 800-44, Version 2, are Miles Tracy of 2007 entry points to network systems, however, Federal Reserve Information Technology, Intrusion Detection and Prevention Systems, Wayne Jansen of NIST, Karen Scarfone of February 2007 public Web sites have become vulnerable Improving the Security of Electronic Mail: to frequent security threats. NIST, and Theodore Winograd of Booz Allen Hamilton. Updated Guidelines Issued by NIST, March 2007 The safe operation of public Web sites Securing Wireless Networks, April 2007 depends upon the safe and secure Issues covered in the guide include how to Securing Radio Frequency Identification operation of two principal components of secure, install, and configure the operating (RFID) Systems, May 2007 the networking infrastructure: the system that supports the Web server; how Forensic Techniques for Cell Phones, June organization’s Web servers, the software to secure, install, and configure Web 2007 applications that make information server software; how to deploy appropriate Border Gateway Protocol Security, July 2007 network protection mechanisms, such as Secure Web Services, August 2007 available over the Internet; and Web The Common Vulnerability Scoring System, browsers, the programs that enable users firewalls, routers, switches, and intrusion detection and intrusion prevention October 2007 to access and display the information from Using Storage Encryption Technologies to the Web servers. systems; the steps for maintaining the Protect End User Devices, November 2007 secure configuration of the operating Securing External Computers and Other Guidelines developed by the Information system and server software through the Devices Used by Teleworkers, December Technology Laboratory of the National application of appropriate patches and 2007 Institute of Standards and Technology upgrades; the requirements for security (NIST) help organizations manage the testing; the methods for monitoring logs, secure operation of both their Web servers and for managing backups of data and and their Web browsers. This bulletin operating system files; and how to use, summarizes a recently updated NIST publicize, and protect information and data Special Publication (SP) 800-44, on Web servers in a careful and systematic Guidelines on Securing Public Web manner. Servers, which focuses on the design, implementation, and operation of publicly The appendices to the guide provide useful accessible and secure Web servers. See the supplemental information: a list of online Web security resources, definitions of the
  • 2 January 2008 terms used in the guide, and a list of from making use of the Web server’s site. The information that is collected in commonly used Web server security tools services. phishing and pharming attacks can be used and applications. Other practical resources ▫ The compromise of sensitive to access the user’s Web site or to carry in the appendices are a list of in-print and information on backend databases that out an identity theft scheme. online references, an extensive checklist of are used to support interactive elements actions needed for Web server security, of a Web application. The attacker injects NIST’S Recommendations for and an acronym list. commands that are run on the server. Installing, Configuring, and Using Structured Query Language (SQL) Maintaining Secure Public Web NIST SP 800-44, Version 2, is available and Lightweight Directory Access Servers on the NIST Web site: Protocol (LDAP), the attacker submits http://csrc.nist.gov/publications/PubsSPs.h input that will be passed to a database and To address the many sophisticated security tml. then processed. In cross-site scripting threats, NIST recommends that (XSS) attacks, the intruder manipulates the organizations adopt the following practices Who We Are application to store scripting language to maintain a secure Web presence: The Information Technology Laboratory (ITL) commands that are activated when another is a major research component of the National user accesses the Web page. ▪ Carefully plan and address the Institute of Standards and Technology (NIST) of the Technology Administration, U.S. security aspects for the deployment of a Department of Commerce. We develop tests ▫ The interception of sensitive public Web server. and measurement methods, reference data, information that is transmitted proof-of-concept implementations, and unencrypted between the Web server Security issues should be considered when technical analyses that help to advance the and the browser. an organization begins to plan for the development and use of new information deployment of a public Web server since it technology. We seek to overcome barriers to * The modification of the is much more difficult to address security the efficient use of information technology, and information on the Web server for once deployment and implementation have to make systems more interoperable, easily malicious purposes, such as the taken place. Sound decisions about the usable, scalable, and secure than they are today. Our website is http://www.itl.nist.gov. defacement of Web sites. appropriate configuration of systems are more likely to be made when organizations ▫ Malicious entities that gain develop and use a detailed, well-designed The Need for Security unauthorized access to resources deployment plan. The deployment plan elsewhere in the organization’s network will also support the organization’s Web The World Wide Web is a widely used via a successful attack on the Web server administrators when they have to system for exchanging information over server. make the necessary trade-off decisions the Internet. Both Web servers and Web regarding usability, performance, and risk. browsers can be vulnerable to attacks that ▫ Malicious entities that attack destroy or change information, and disrupt external entities after compromising a Human resource requirements are essential operations. Web servers are frequently Web server host. These attacks can be components of planning, deployment, and targeted for attack and are subject to many launched directly, from the compromised operational phases of the Web server and security threats, such as: host against an external server, or its supporting infrastructure. Human indirectly, through the placement of resource issues that need to be addressed ▫ Malicious attacks that exploit malicious content on the compromised in a deployment plan include: software bugs in the Web server, the Web server in order to exploit underlying operating system, or the vulnerabilities in the Web browsers of the ▫ Types of personnel required: active content of information. These users visiting the site. system and Web server administrators, attacks allow the intruder to gain Webmasters, network administrators, unauthorized access to the Web server and ▫ Use of the Web server as a information systems security officers to information that was not meant to be distribution point for attack tools, (ISSOs); publicly accessible. Then, sensitive pornography, or illegally copied ▫ Skills and training required by information on the Web server may be software. assigned personnel; and read or modified. These attacks can also ▫ Required levels of effort for result in giving the intruder unauthorized ▫ Attackers that use indirect individuals and the overall level of effort capabilities to execute commands and to methods to extract personal information required for the staff as a whole. install software on the Web server. from users. Phishing attacks trick the user into logging into a fake site and giving ▪ Implement appropriate security ▫ Denial of service (DoS) personal information, which is then stolen. management practices and controls attacks that are directed to the Web In another type of indirect attack known as when maintaining and operating a server or its supporting network pharming, Domain Name System (DNS) secure Web server. infrastructure. These attacks can result in servers or users’ host files are denying or hindering authorized users compromised to redirect users to a Organizations should identify their malicious site instead of to the legitimate information system assets and the
  • 3 January 2008 development, documentation, and ▫ Configure operating system ▫ An organization’s detailed implementation of policies, standards, user authentication. physical and information security procedures, and guidelines that help to ▫ Configure resource controls. safeguards; ensure the confidentiality, integrity, and ▫ Install and configure additional ▫ Details about an organization’s availability of information system security controls. network and information system resources. The following security ▫ Perform security testing of the infrastructure, such as address ranges, management practices will help to operating system. naming conventions, and access numbers; strengthen the security of the Web server ▫ Information that specifies or and the supporting network infrastructure: ▪ Ensure that the Web server implies physical security vulnerabilities; application is deployed, configured, and ▫ Detailed plans, maps, diagrams, ▫ Develop an organization-wide managed to meet the security aerial photographs, and architectural information system security policy. requirements of the organization. drawings of organizational buildings, ▫ Use configuration/change properties, or installations; and control and management practices. The steps for the secure installation and ▫ Any sensitive information ▫ Conduct risk assessment and configuration of the Web server about individuals, such as personally management processes. application parallel the steps for securing identifiable information (PII), that might ▫ Adopt standardized software the operating system. Administrators be subject to federal, state or, in some configurations that satisfy the information should install the minimal amount of Web instances, international privacy laws. system security policy. server services required and eliminate any ▫ Conduct security awareness known vulnerabilities through patches or ▪ Take appropriate steps to protect and training activities. upgrades. Any unnecessary applications, Web content from unauthorized access ▫ Adopt contingency planning, services, or scripts resulting from the or modification. continuity of operations, and disaster server installation program should be recovery planning procedures. removed immediately after the conclusion After organizations carefully review the ▫ Apply certification and of the installation process. Steps for information that is made available to the accreditation methods. securing the Web server application public on their Web sites, the include: organizations should ensure that the ▪ Ensure that Web server operating ▫ Patch and upgrade the Web information cannot be modified without systems are deployed, configured, and server application. proper authorization. Users rely on the managed to meet the security ▫ Remove or disable unnecessary integrity of the publicly available requirements of the organization. services, applications, and sample content. information. Because of the public ▫ Configure Web server user accessibility of Web content, the The security of a Web server depends authentication and access controls. information is vulnerable to modification. upon the security of its underlying ▫ Configure Web server resource Organizations should protect public Web operating system. Most commonly controls. content through practices for the available Web servers operate on a ▫ Test the security of the Web appropriate configuration of Web server general-purpose operating system, which server application and Web content. resource controls, such as: should be configured appropriately to circumvent security problems. Default Organizations should develop a Web ▫ Install or enable only necessary hardware and software configurations are publishing process or policy that services. typically set by manufacturers to determines what type of information will ▫ Install Web content on a emphasize features, functions, and ease of be published openly, what information will dedicated hard drive or logical partition. use, and may not focus on security issues. be published with restricted access, and ▫ Limit uploads to directories Because every organization’s security what information should not be published that are not readable by the Web server. needs are different, Web server to any publicly accessible repository. ▫ Define a single directory for all administrators should configure new Some generally accepted examples of external scripts or programs executed as servers to reflect their organization’s what should not be published or that at part of Web content. security requirements and then reconfigure least should be carefully examined and ▫ Disable the use of hard or the servers as those requirements change. reviewed before publication on a public symbolic links. Security configuration guides or checklists Web site include: ▫ Define a complete Web content can assist administrators in securing access matrix that identifies which folders systems consistently and efficiently. Steps ▫ Classified or proprietary and files within the Web server document for securing the operating system include: information; directory are restricted, which are ▫ Information on the composition accessible, and to whom. ▫ Patch and upgrade the or preparation of hazardous materials or ▫ Disable directory listings. operating system. toxins; ▫ Use user authentication, digital ▫ Remove or disable unnecessary ▫ Sensitive information relating signatures, and other cryptographic services and applications. to homeland security; mechanisms as appropriate. ▫ Medical records;
  • 4 January 2008 ▫ Use host-based intrusion public Web server would be within reach ▫ Test and apply patches in a detection systems (IDSs), intrusion of anyone with access to the server. Also, timely manner. prevention systems (IPSs), and/or file a process to authenticate the server to the ▫ Test server security integrity checkers to detect intrusions and user helps users of the public Web server periodically. to verify Web content. to determine whether the server is the ▫ Protect the backend server from “authentic” Web server or a counterfeit More Information command injection attacks directed to both version operated by a malicious entity. the Web server and the backend server. Federal agencies will find information Despite the employment of an encrypted about protecting sensitive information in ▪ Use active content judiciously after channel and an authentication mechanism, the following directives: balancing the benefits gained against attackers may still attempt to access the the associated risks. Web site via a brute force attack. Improper White House Memorandum dated March authentication techniques can allow 19, 2002, Action to Safeguard Information Early Web sites usually presented static attackers to gather valid usernames or Regarding Weapons of Mass Destruction information such as text-based documents potentially gain access to the Web site. and Other Sensitive Documents Related to that were on the Web server. Today, Strong authentication mechanisms can also Homeland Security interactive elements are available, making protect against phishing and pharming (http://www.usdoj.gov/oip/foiapost/2002fo possible new ways for users to interact attacks. Therefore, an appropriate level of iapost10.htm). with a Web site. These interactive authentication should be implemented elements have introduced new Web- based on the sensitivity of the Web OMB Memorandum M-06-16, dated June related vulnerabilities because they server’s users and content. 23, 2006, Protection of Sensitive Agency involve dynamically executing code on Information; and OMB Memorandum M- either the Web server or the client using a ▪ Employ the network infrastructure to 07-16, dated May 22, 2007, Safeguarding large number of inputs, from Universal help protect public Web servers. Against and Responding to the Breach of Resource Locator (URL) parameters to Personally Identifiable Information, at Hypertext Transfer Protocol (HTTP) The network infrastructure, which includes http://www.whitehouse.gov/omb/memoran POST content and, more recently, firewalls, routers, and IDSs, supports the da/. Extensible Markup Language (XML) Web server and plays a critical role in the content in the form of Web service security of the Web server. In most NIST publications assist organizations in messages. Different active content configurations, the network infrastructure planning and implementing a technologies have different vulnerabilities will be the first line of defense between a comprehensive approach to information associated with them, and their risks public Web server and the Internet. security. NIST publications that support should be weighed against their benefits. Network design alone, however, cannot the secure installation, configuration, and Although most Web sites use some form protect a Web server. Web server attacks maintenance of Web servers and browsers of active content generators, many also are frequent, sophisticated, and varied. include: deliver some or all of their content in a Web server security must be implemented non-active form. through layered and diverse protection NIST SP 800-18 Revision 1, Guide for mechanisms that provide defense-in-depth. Developing Security Plans for Federal ▪ Use appropriate authentication and Information Systems. cryptographic technologies to protect ▪ Commit to an ongoing process for certain types of sensitive data. maintaining the security of public Web NIST SP 800-28, Guidelines on Active servers to ensure continued security. Content and Mobile Active Code. Public Web servers often support a range of technologies for identifying and Organizations should apply constant NIST SP 800-40, Version 2.0, Creating a authenticating users with different effort, resources, and vigilance to maintain Patch and Vulnerability Management privileges for accessing information. Some secure Web servers. The following steps Program. of these technologies are based on should be performed on a daily basis to cryptographic functions that can provide maintain the security of Web servers: NIST SP 800-41, Guidelines on Firewalls an encrypted channel between a Web and Firewall Policy. browser client and a Web server. Web * Configure, protect, and analyze servers may be configured to use different log files. NIST SP 800-42, Guideline on Network cryptographic algorithms, providing ▫ Back up critical information Security Testing. varying levels of security and frequently. performance. ▫ Maintain a protected NIST SP 800-45, Version 2, Guidelines on authoritative copy of the organization’s Electronic Mail Security. Without proper user authentication Web content. processes, organizations cannot selectively ▫ Establish and follow NIST SP 800-46, Security for restrict access to specific information. All procedures for recovering from Telecommuting and Broadband of the information that is available on a compromise. Communications.
  • 5 January 2008 NIST SP 800-92, Guide to Computer For information about NIST standards and ITL Bulletins via E-Mail Security Log Management. guidelines that are referenced in the Web We now offer the option of delivering your ITL server security guide, as well as other Bulletins in ASCII format directly to your e-mail NIST SP 800-94, Guide to Intrusion security-related publications, see NIST’s address. To subscribe to this service, send an e- Detection and Prevention Systems (IDPS). Web page at mail message from your business e-mail http://csrc.nist.gov/publications/index.html account to listproc@nist.gov with the message NIST SP 800-95, Guide to Secure Web subscribe itl-bulletin, and your name, e.g., Services. Disclaimer: Any mention of commercial products or John Doe. For instructions on using listproc, reference to commercial organizations is for send a message to listproc@nist.gov with the information only; it does not imply recommendation message HELP. To have the bulletin sent to an or endorsement by NIST nor does it imply that the e-mail address other than the FROM address, products mentioned are necessarily the best available contact the ITL editor at for the purpose. 301-975-2832 or elizabeth.lennon@nist.gov.