Web Server Hardening


Published on

Web Server Hardening by Supraja Shankaran @ null Pune Meet, September 2011

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web Server Hardening

  1. 1. Web Server Hardening Supraja ShankarSymbiosis Institute Of Computer Studeies And Research
  2. 2. Web server● It’s a client – server architecture● The function of a web server is to service requests made through HTTP protocol.
  3. 3. Main threats to a web server• Profiling• Denial of service• Unauthorized access• Arbitrary code execution• Elevation of privileges• Viruses, worms, and Trojanhorses Source: http://msdn.microsoft.com/en-us/library/ff648653.aspx
  4. 4. Apache
  5. 5. An overview● Apache runs under multitasking operating system.● httpd for unix and apache.exe for Win● Usually runs in background● Originally named from A PAtCHy in 1991● Open source under Apache License
  6. 6. StructureSource: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
  7. 7. Core structureSource: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
  8. 8. Securing Apache
  9. 9. Securing apache● mod_auth● For authorizing content● AuthUserFilefile-path tells the file where username and password saved.● Passwd can be set by htpasswd command● mod_access● Limits access● Can be whole set of IP’s or narrow down to ports● Deny/ Allow/ Order
  10. 10. HardeningRemove default apache filessudorm –fr /opt/apache2/htdocs/*~>sudorm –fr /opt/apache2/cgi-bin/*~>sudorm –fr /opt/apache2/iconsHide the apache version numberServerSignature OffServerTokensProdChroot
  11. 11. Hardening From Source●userdir – Mapping of requests to user-specific directories. i.eusername in URL will get translated to a directory in the server●autoindex – Displays directory listing when no index.html file ispresent●status – Displays server stats●env – Clearing/setting of ENV vars●setenvif – Placing ENV vars on headers●cgi – CGI scripts●actions – Action triggering on requests●negotiation – Content negotiation●alias – Mapping of requests to different filesystem parts●include – Server Side Includes●filter – Smart filtering of request●version – Handling version information in config files using IfVersion●as-is – as-is filetypes
  12. 12. IIS
  13. 13. What is IIS?♦ IIS (Internet Information Server) is a group of Internet servers(including a Web or Hypertext Transfer Protocol server and aFile Transfer Protocol server) with additional capabilities forMicrosofts Windows NT and Windows 2000 Server operatingsystems.♦ IIS is Microsofts entry to compete in the Internet servermarket that is also addressed by Apache, Sun Microsystems,OReilly, and others.♦ With IIS, Microsoft includes a set of programs for building andadministering Web sites, a search engine, and support forwriting Web-based applications that access databases.♦ Microsoft points out that IIS is tightly integrated with theWindows NT and 2000 Servers in a number of ways, resultingin faster Web page serving.
  14. 14. TOPOLOGYSource: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24016818.html
  15. 15. FEATURES◙ HTTP modules◙ Security modules◙ Content modules◙ Compression modules◙ Caching modules◙ Logging and Diagnostics modules
  16. 16. Vulnerabilities Microsoft has been criticized for IISs susceptibility to computer virus attacks such as Code Red and Nimda.  According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
  17. 17. Securing IIS
  18. 18. Hardening Domains
  19. 19. GENERAL• Do not connect an IIS Server to the Internet until it is fullyhardened.• Place the server in a physically secure location.• Do not install the IIS server on a domain controller.• Do not install a printer.• Use two network interfaces in the server — one for admin andone for the network.• Install service packs, patches and hot fixes.• Run IISLockdown run on the server.• Install and configure URLScan.• Secure remote administration of the server and configure forencryption, - low session time-outs - account lockouts.• Disable unnecessary Windows services.• Ensure services are running with least-privileged accounts. Continued….
  20. 20. GENERAL (contd..)• Disable FTP, SMTP and NNTP services if they are not required.• Disable Telnet service.• Disable ASP.NET state service if not used by yourapplications.• Disable webDAV if not used by the application, or secure it ifit is required.• Do not install Data Access Components unless specificallyneeded.• Do not install the HTML version of the Internet ServicesManager.• Do not install the MS Index Server unless required.• Do not install the MS FrontPage Server extensions unlessrequired.• Harden TCP/IP stack.• Disable NetBIOS and SMB (closing ports 137, 138, 139 and445).• Reconfigure Recycle Bin and Page file system data policies.• Secure CMOS settings.• Secure physical media (floppy drive, CD-ROM drive and soon).
  21. 21. ACCOUNTS• Remove unused accounts from the server.• Disable Windows Guest account.• Rename Administrator account and set a strong password.• Disable IUSR_MACHINE account if it is not used by theapplication.• Create a custom least-privileged anonymous account ifapplications require anonymous access.• Do not give the anonymous account write access to Webcontent directories or allow it to execute command-line tools.• If you host multiple Web applications, configure a separateanonymous user account for each one. Continued….
  22. 22. ACCOUNTS (contd..)Configure ASP.NET process account for least privilege. (This•only applies if you are not using the default ASP.NET account,which is a least-privileged account.)• Enforce strong account and password policies for the server.• Restrict remote logons. (The "Access this computer from thenetwork" user-right is removed from the Everyone group.)• Do not share accounts among administrators.• Disable Null sessions (anonymous logons).• Require approval for account delegation.• Do not allow users and administrators to share accounts.• Do not create more than two accounts in the Administratorsgroup.• Require administrators to log on locally or secure the remoteadministration solution.
  23. 23. FILES AND DIRECTORIES• Use multiple disks or partition volumes and do not install theWeb server home directory on the same volume as the operatingsystem folders.• Contain files and directories on NTFS volumes.• Put Web site content on a non-system NTFS volume.• Create a new site and disable the default site.• Put log files on a non-system NTFS volume but not on the samevolume where the Web site content resides.• Restrict the Everyone group (no access to WINNTsystem32 orWeb directories).• Ensure Web site root directory has deny write ACE foranonymous Internet accounts.• Ensure content directories have deny write ACE for anonymousInternet accounts.
  24. 24. FILES AND DIRECTORIES (Contd..)Remove remote IIS administration application•(WINNTSystem32InetsrvIISAdmin).• Remove resource kit tools, utilities and SDKs.• Remove sample applications (WINNTHelpIISHelp,InetpubIISSamples).• Remove IP address in header for Content-Location.SHARES• Remove all unnecessary shares (including defaultadministration shares).• Restrict access to required shares (the Everyone group doesnot have access).• Remove Administrative shares (C$ and Admin$) if they arenot required (Microsoft Management Server (SMS) andMicrosoft Operations Manager (MOM) require these shares).
  25. 25. PORTS• Restrict Internet-facing interfaces to port 80 (and 443if SSL is used).• Encrypt Intranet traffic (for example, with SSL), orrestrict Internet traffic if you do not have a secure datacenter infrastructure.REGISTRY• Restrict remote registry access.• Secure SAM(HKLMSystemCurrentControlSetControlLSANoLMHash). This applies only to standalone servers.
  26. 26. AUDITING AND LOGGING• Audit failed logon attempts.• Relocate and secure IIS log files.• Configure log files with an appropriate file sizedepending on the application security requirement.• Regularly archive and analyze log files.• Audit access to the Metabase.bin file.• Configure IIS for W3C Extended log file format auditing.• Read How to use SQL Server to analyze Web logs atsupport.microsoft.com
  27. 27. SITES AND VIRTUAL DIRECTORIES• Put Web sites on a non-system partition.• Disable "Parent paths" setting.• Remove potentially dangerous virtual directories includingIISSamples, IISAdmin, IISHelp and Scripts.• Remove or secure MSADC virtual directory (RDS).• Do not grant included directories Read Web permission.• Restrict Write and Execute Web permissions for anonymousaccounts in virtual directories.• Ensure there is script source access only on folders thatsupport content authoring.• Ensure there is write access only on folders that supportcontent authoring and these folders are configured forauthentication (and SSL encryption, if required).• Remove FrontPage Server Extensions (FPSE) if not used. IfFPSE are used, update and restrict access to them.• Remove the IIS Internet Printing virtual directory.
  28. 28. SCRIPT MAPPING• Map extensions not used by the application to 404.dll (.idq,.htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer).• Map unnecessary ASP.NET file type extensions to"HttpForbiddenHandler" in Machine.config.ISAPI FILTERS• Remove from the server unnecessary or unused ISAPIfilters.IIS METABASE• Restrict access to the metabase by using NTFS permissions(%systemroot%system32inetsrvmetabase.bin).• Restrict IIS banner information (Disable IP address incontent location).
  29. 29. SERVER CERTIFICATES• Ensure certificate date ranges are valid.• Only use certificates for their intended purpose (Forexample, the server certificate is not used for e-mail).• Ensure the certificates public key is valid, all the way to atrusted root authority.• Confirm that the certificate has not been revoked.Machine.config• Map protected resources to HttpForbiddenHandler.• Remove unused HttpModules.• Disable tracing.<trace enable="false"/>• Turn off debug compiles.<compilation debug="false" explicit="true"defaultLanguage="vb">
  30. 30. referenceslocalhost/manualhttp://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htmhttp://www.cooperation-iws.org/wiki/index.php/Web_server_architecturehttp://security.stackexchange.com/questions/77/apache-server-hardeninghttp://www.linuxquestions.org/questions/linux-software-2/how-apache-works-with-php-mysql-whatever-85685/http://docstore.mik.ua/orelly/linux/apache/ch01_01.htmhttp://www.devshed.com/c/a/Apache/Apache-and-the-Internet/1/http://www.symantec.com/connect/articles/securing-apache-step-stephttp://www.devdaily.com/unix/edu/UnixSysAdmin/node169.shtmlhttp://www.cooperation-iws.org/wiki/index.php/Web_server_architecturehttp://www.opensourcevarsity.com/phpbasics/l4bindingphptoapachehttp://searchsecurity.techtarget.com/feature/Windows-IIS-server-hardening-checklisthttp://en.wikipedia.org/wiki/Internet_Information_Serviceshttp://searchwindowsserver.techtarget.com/definition/IIShttp://www.microsoft.com/web/platform/server.aspxhttp://www.faqs.org/docs/apache-compile/php.htmlhttp://dan.drydog.com/apache2php.html
  31. 31. “Security is a not a product, but a process.” - Bruce Scheiner THANK YOU