Secure Web Servers Protecting Web Sites That Are Accessed By ...
ADVISING USERS ON INFORMATION TECHNOLOGY
SECURE WEB SERVERS: More Information section at the end of the ITL Bulletins are published by the Information
PROTECTING WEB SITES bulletin for references to other Technology Laboratory (ITL) of the National
publications that deal with the security of Institute of Standards and Technology (NIST).
THAT ARE ACCESSED BY Each bulletin presents an in-depth discussion
THE PUBLIC both Web servers and browsers, and with
the basic processes for planning, of a single topic of significant interest to the
implementing, and operating secure information systems community. Bulletins are
Shirley Radack, Editor issued on an as-needed basis and are
Computer Security Division systems.
available from ITL Publications, National
Information Technology Laboratory Institute of Standards and Technology, 100
National Institute of Standards and NIST Special Publication (SP) 800-
44, Version 2, Guidelines on Bureau Drive, Stop 8900, Gaithersburg, MD
Technology 20899-8900, telephone (301) 975-2832. To be
Securing Public Web Servers:
Recommendations of the National placed on a mailing list to receive future
Many organizations rely upon the World bulletins, send your name, organization, and
Wide Web (Web) to publish information, Institute of Standards and
Technology business address to this office. You will be
to exchange information with Internet placed on this mailing list only.
users, and to conduct electronic
transactions with their customers and their NIST SP 800-44, Version 2, Guidelines on
Securing Public Web Servers, details the Bulletins issued since December 2006:
suppliers. The Web’s system of interlinked Maintaining Effective Information Technology
text, images, videos, and other information steps that organizations should take to
(IT) Security Through Test, Training, and
makes vast amounts of information plan, install, and maintain secure Web Exercise Programs, December 2006
available to organizations and individuals. server software and their underlying Security Controls for Information Systems:
With the many advances in computer operating systems. The authors of NIST Revised Guidelines Issued by NIST, January
efficiency, programming techniques, and SP 800-44, Version 2, are Miles Tracy of 2007
entry points to network systems, however, Federal Reserve Information Technology, Intrusion Detection and Prevention Systems,
Wayne Jansen of NIST, Karen Scarfone of February 2007
public Web sites have become vulnerable Improving the Security of Electronic Mail:
to frequent security threats. NIST, and Theodore Winograd of Booz
Allen Hamilton. Updated Guidelines Issued by NIST, March
The safe operation of public Web sites Securing Wireless Networks, April 2007
depends upon the safe and secure Issues covered in the guide include how to Securing Radio Frequency Identification
operation of two principal components of secure, install, and configure the operating (RFID) Systems, May 2007
the networking infrastructure: the system that supports the Web server; how Forensic Techniques for Cell Phones, June
organization’s Web servers, the software to secure, install, and configure Web 2007
applications that make information server software; how to deploy appropriate Border Gateway Protocol Security, July 2007
network protection mechanisms, such as Secure Web Services, August 2007
available over the Internet; and Web The Common Vulnerability Scoring System,
browsers, the programs that enable users firewalls, routers, switches, and intrusion
detection and intrusion prevention October 2007
to access and display the information from Using Storage Encryption Technologies to
the Web servers. systems; the steps for maintaining the
Protect End User Devices, November 2007
secure configuration of the operating Securing External Computers and Other
Guidelines developed by the Information system and server software through the Devices Used by Teleworkers, December
Technology Laboratory of the National application of appropriate patches and 2007
Institute of Standards and Technology upgrades; the requirements for security
(NIST) help organizations manage the testing; the methods for monitoring logs,
secure operation of both their Web servers and for managing backups of data and
and their Web browsers. This bulletin operating system files; and how to use,
summarizes a recently updated NIST publicize, and protect information and data
Special Publication (SP) 800-44, on Web servers in a careful and systematic
Guidelines on Securing Public Web manner.
Servers, which focuses on the design,
implementation, and operation of publicly The appendices to the guide provide useful
accessible and secure Web servers. See the supplemental information: a list of online
Web security resources, definitions of the
2 January 2008
terms used in the guide, and a list of from making use of the Web server’s site. The information that is collected in
commonly used Web server security tools services. phishing and pharming attacks can be used
and applications. Other practical resources ▫ The compromise of sensitive to access the user’s Web site or to carry
in the appendices are a list of in-print and information on backend databases that out an identity theft scheme.
online references, an extensive checklist of are used to support interactive elements
actions needed for Web server security, of a Web application. The attacker injects NIST’S Recommendations for
and an acronym list. commands that are run on the server. Installing, Configuring, and
Using Structured Query Language (SQL) Maintaining Secure Public Web
NIST SP 800-44, Version 2, is available and Lightweight Directory Access Servers
on the NIST Web site: Protocol (LDAP), the attacker submits
http://csrc.nist.gov/publications/PubsSPs.h input that will be passed to a database and To address the many sophisticated security
tml. then processed. In cross-site scripting threats, NIST recommends that
(XSS) attacks, the intruder manipulates the organizations adopt the following practices
Who We Are application to store scripting language to maintain a secure Web presence:
The Information Technology Laboratory (ITL) commands that are activated when another
is a major research component of the National
user accesses the Web page. ▪ Carefully plan and address the
Institute of Standards and Technology (NIST)
of the Technology Administration, U.S. security aspects for the deployment of a
Department of Commerce. We develop tests ▫ The interception of sensitive public Web server.
and measurement methods, reference data, information that is transmitted
proof-of-concept implementations, and unencrypted between the Web server Security issues should be considered when
technical analyses that help to advance the and the browser. an organization begins to plan for the
development and use of new information deployment of a public Web server since it
technology. We seek to overcome barriers to * The modification of the is much more difficult to address security
the efficient use of information technology, and information on the Web server for once deployment and implementation have
to make systems more interoperable, easily
malicious purposes, such as the taken place. Sound decisions about the
usable, scalable, and secure than they are
today. Our website is http://www.itl.nist.gov. defacement of Web sites. appropriate configuration of systems are
more likely to be made when organizations
▫ Malicious entities that gain develop and use a detailed, well-designed
The Need for Security unauthorized access to resources deployment plan. The deployment plan
elsewhere in the organization’s network will also support the organization’s Web
The World Wide Web is a widely used via a successful attack on the Web server administrators when they have to
system for exchanging information over server. make the necessary trade-off decisions
the Internet. Both Web servers and Web regarding usability, performance, and risk.
browsers can be vulnerable to attacks that ▫ Malicious entities that attack
destroy or change information, and disrupt external entities after compromising a Human resource requirements are essential
operations. Web servers are frequently Web server host. These attacks can be components of planning, deployment, and
targeted for attack and are subject to many launched directly, from the compromised operational phases of the Web server and
security threats, such as: host against an external server, or its supporting infrastructure. Human
indirectly, through the placement of resource issues that need to be addressed
▫ Malicious attacks that exploit malicious content on the compromised in a deployment plan include:
software bugs in the Web server, the Web server in order to exploit
underlying operating system, or the vulnerabilities in the Web browsers of the ▫ Types of personnel required:
active content of information. These users visiting the site. system and Web server administrators,
attacks allow the intruder to gain Webmasters, network administrators,
unauthorized access to the Web server and ▫ Use of the Web server as a information systems security officers
to information that was not meant to be distribution point for attack tools, (ISSOs);
publicly accessible. Then, sensitive pornography, or illegally copied ▫ Skills and training required by
information on the Web server may be software. assigned personnel; and
read or modified. These attacks can also ▫ Required levels of effort for
result in giving the intruder unauthorized ▫ Attackers that use indirect individuals and the overall level of effort
capabilities to execute commands and to methods to extract personal information required for the staff as a whole.
install software on the Web server. from users. Phishing attacks trick the user
into logging into a fake site and giving ▪ Implement appropriate security
▫ Denial of service (DoS) personal information, which is then stolen. management practices and controls
attacks that are directed to the Web In another type of indirect attack known as when maintaining and operating a
server or its supporting network pharming, Domain Name System (DNS) secure Web server.
infrastructure. These attacks can result in servers or users’ host files are
denying or hindering authorized users compromised to redirect users to a Organizations should identify their
malicious site instead of to the legitimate information system assets and the
3 January 2008
development, documentation, and ▫ Configure operating system ▫ An organization’s detailed
implementation of policies, standards, user authentication. physical and information security
procedures, and guidelines that help to ▫ Configure resource controls. safeguards;
ensure the confidentiality, integrity, and ▫ Install and configure additional ▫ Details about an organization’s
availability of information system security controls. network and information system
resources. The following security ▫ Perform security testing of the infrastructure, such as address ranges,
management practices will help to operating system. naming conventions, and access numbers;
strengthen the security of the Web server ▫ Information that specifies or
and the supporting network infrastructure: ▪ Ensure that the Web server implies physical security vulnerabilities;
application is deployed, configured, and ▫ Detailed plans, maps, diagrams,
▫ Develop an organization-wide managed to meet the security aerial photographs, and architectural
information system security policy. requirements of the organization. drawings of organizational buildings,
▫ Use configuration/change properties, or installations; and
control and management practices. The steps for the secure installation and ▫ Any sensitive information
▫ Conduct risk assessment and configuration of the Web server about individuals, such as personally
management processes. application parallel the steps for securing identifiable information (PII), that might
▫ Adopt standardized software the operating system. Administrators be subject to federal, state or, in some
configurations that satisfy the information should install the minimal amount of Web instances, international privacy laws.
system security policy. server services required and eliminate any
▫ Conduct security awareness known vulnerabilities through patches or ▪ Take appropriate steps to protect
and training activities. upgrades. Any unnecessary applications, Web content from unauthorized access
▫ Adopt contingency planning, services, or scripts resulting from the or modification.
continuity of operations, and disaster server installation program should be
recovery planning procedures. removed immediately after the conclusion After organizations carefully review the
▫ Apply certification and of the installation process. Steps for information that is made available to the
accreditation methods. securing the Web server application public on their Web sites, the
include: organizations should ensure that the
▪ Ensure that Web server operating ▫ Patch and upgrade the Web information cannot be modified without
systems are deployed, configured, and server application. proper authorization. Users rely on the
managed to meet the security ▫ Remove or disable unnecessary integrity of the publicly available
requirements of the organization. services, applications, and sample content. information. Because of the public
▫ Configure Web server user accessibility of Web content, the
The security of a Web server depends authentication and access controls. information is vulnerable to modification.
upon the security of its underlying ▫ Configure Web server resource Organizations should protect public Web
operating system. Most commonly controls. content through practices for the
available Web servers operate on a ▫ Test the security of the Web appropriate configuration of Web server
general-purpose operating system, which server application and Web content. resource controls, such as:
should be configured appropriately to
circumvent security problems. Default Organizations should develop a Web ▫ Install or enable only necessary
hardware and software configurations are publishing process or policy that services.
typically set by manufacturers to determines what type of information will ▫ Install Web content on a
emphasize features, functions, and ease of be published openly, what information will dedicated hard drive or logical partition.
use, and may not focus on security issues. be published with restricted access, and ▫ Limit uploads to directories
Because every organization’s security what information should not be published that are not readable by the Web server.
needs are different, Web server to any publicly accessible repository. ▫ Define a single directory for all
administrators should configure new Some generally accepted examples of external scripts or programs executed as
servers to reflect their organization’s what should not be published or that at part of Web content.
security requirements and then reconfigure least should be carefully examined and ▫ Disable the use of hard or
the servers as those requirements change. reviewed before publication on a public symbolic links.
Security configuration guides or checklists Web site include: ▫ Define a complete Web content
can assist administrators in securing access matrix that identifies which folders
systems consistently and efficiently. Steps ▫ Classified or proprietary and files within the Web server document
for securing the operating system include: information; directory are restricted, which are
▫ Information on the composition accessible, and to whom.
▫ Patch and upgrade the or preparation of hazardous materials or ▫ Disable directory listings.
operating system. toxins; ▫ Use user authentication, digital
▫ Remove or disable unnecessary ▫ Sensitive information relating signatures, and other cryptographic
services and applications. to homeland security; mechanisms as appropriate.
▫ Medical records;
4 January 2008
▫ Use host-based intrusion public Web server would be within reach ▫ Test and apply patches in a
detection systems (IDSs), intrusion of anyone with access to the server. Also, timely manner.
prevention systems (IPSs), and/or file a process to authenticate the server to the ▫ Test server security
integrity checkers to detect intrusions and user helps users of the public Web server periodically.
to verify Web content. to determine whether the server is the
▫ Protect the backend server from “authentic” Web server or a counterfeit More Information
command injection attacks directed to both version operated by a malicious entity.
the Web server and the backend server. Federal agencies will find information
Despite the employment of an encrypted about protecting sensitive information in
▪ Use active content judiciously after channel and an authentication mechanism, the following directives:
balancing the benefits gained against attackers may still attempt to access the
the associated risks. Web site via a brute force attack. Improper White House Memorandum dated March
authentication techniques can allow 19, 2002, Action to Safeguard Information
Early Web sites usually presented static attackers to gather valid usernames or Regarding Weapons of Mass Destruction
information such as text-based documents potentially gain access to the Web site. and Other Sensitive Documents Related to
that were on the Web server. Today, Strong authentication mechanisms can also Homeland Security
interactive elements are available, making protect against phishing and pharming (http://www.usdoj.gov/oip/foiapost/2002fo
possible new ways for users to interact attacks. Therefore, an appropriate level of iapost10.htm).
with a Web site. These interactive authentication should be implemented
elements have introduced new Web- based on the sensitivity of the Web OMB Memorandum M-06-16, dated June
related vulnerabilities because they server’s users and content. 23, 2006, Protection of Sensitive Agency
involve dynamically executing code on Information; and OMB Memorandum M-
either the Web server or the client using a ▪ Employ the network infrastructure to 07-16, dated May 22, 2007, Safeguarding
large number of inputs, from Universal help protect public Web servers. Against and Responding to the Breach of
Resource Locator (URL) parameters to Personally Identifiable Information, at
Hypertext Transfer Protocol (HTTP) The network infrastructure, which includes http://www.whitehouse.gov/omb/memoran
POST content and, more recently, firewalls, routers, and IDSs, supports the da/.
Extensible Markup Language (XML) Web server and plays a critical role in the
content in the form of Web service security of the Web server. In most NIST publications assist organizations in
messages. Different active content configurations, the network infrastructure planning and implementing a
technologies have different vulnerabilities will be the first line of defense between a comprehensive approach to information
associated with them, and their risks public Web server and the Internet. security. NIST publications that support
should be weighed against their benefits. Network design alone, however, cannot the secure installation, configuration, and
Although most Web sites use some form protect a Web server. Web server attacks maintenance of Web servers and browsers
of active content generators, many also are frequent, sophisticated, and varied. include:
deliver some or all of their content in a Web server security must be implemented
non-active form. through layered and diverse protection NIST SP 800-18 Revision 1, Guide for
mechanisms that provide defense-in-depth. Developing Security Plans for Federal
▪ Use appropriate authentication and Information Systems.
cryptographic technologies to protect ▪ Commit to an ongoing process for
certain types of sensitive data. maintaining the security of public Web NIST SP 800-28, Guidelines on Active
servers to ensure continued security. Content and Mobile Active Code.
Public Web servers often support a range
of technologies for identifying and Organizations should apply constant NIST SP 800-40, Version 2.0, Creating a
authenticating users with different effort, resources, and vigilance to maintain Patch and Vulnerability Management
privileges for accessing information. Some secure Web servers. The following steps Program.
of these technologies are based on should be performed on a daily basis to
cryptographic functions that can provide maintain the security of Web servers: NIST SP 800-41, Guidelines on Firewalls
an encrypted channel between a Web and Firewall Policy.
browser client and a Web server. Web * Configure, protect, and analyze
servers may be configured to use different log files. NIST SP 800-42, Guideline on Network
cryptographic algorithms, providing ▫ Back up critical information Security Testing.
varying levels of security and frequently.
performance. ▫ Maintain a protected NIST SP 800-45, Version 2, Guidelines on
authoritative copy of the organization’s Electronic Mail Security.
Without proper user authentication Web content.
processes, organizations cannot selectively ▫ Establish and follow NIST SP 800-46, Security for
restrict access to specific information. All procedures for recovering from Telecommuting and Broadband
of the information that is available on a compromise. Communications.
5 January 2008
NIST SP 800-92, Guide to Computer For information about NIST standards and ITL Bulletins via E-Mail
Security Log Management. guidelines that are referenced in the Web We now offer the option of delivering your ITL
server security guide, as well as other Bulletins in ASCII format directly to your e-mail
NIST SP 800-94, Guide to Intrusion security-related publications, see NIST’s address. To subscribe to this service, send an e-
Detection and Prevention Systems (IDPS). Web page at mail message from your business e-mail
http://csrc.nist.gov/publications/index.html account to firstname.lastname@example.org with the message
NIST SP 800-95, Guide to Secure Web subscribe itl-bulletin, and your name, e.g.,
Services. Disclaimer: Any mention of commercial products or John Doe. For instructions on using listproc,
reference to commercial organizations is for send a message to email@example.com with the
information only; it does not imply recommendation message HELP. To have the bulletin sent to an
or endorsement by NIST nor does it imply that the e-mail address other than the FROM address,
products mentioned are necessarily the best available contact the ITL editor at
for the purpose.
301-975-2832 or firstname.lastname@example.org.