Step 2: Installing and configuring your Web server

Rather than attempting to provide specific configuration settings and instructions that are different for practically every version and platform of Web server available, I'll approach this from a layered security lockdown perspective and common weaknesses I see when I perform security assessments. The following are critical areas you need to address to ensure the utmost security of your Web server:

Web server software/hardware location

1. Install your Web server on a partition (or drive) separate from the Windows OS.
2. Ideally, place the server on the network in a semi-trusted area such as a DMZ or separate VLAN. This can help restrain (but not prevent) an attacker from reaching into your network further by breaking into the Web server.

Operating system

1. Ensure Windows and your Web server software are fully patched.
2. Remove any unneeded shares and make sure the default share and NTFS permissions are changed on your drives. This is especially true for Windows 2000 and earlier systems where everyone is granted full access by default.
3. Disable null session connections to Windows if possible.
4. Minimize the number of local Windows accounts as well as accounts that have administrative access to the machine.
5. Disable all but the most essential services on the system. This includes Terminal Services, FTP, SMTP, Routing and Remote Access and more. You'll free up a lot of resources for the Web server application and, in Microsoft's words, reduce the attack surface of your Web server system making it less susceptible to security breaches.
6. Seriously consider installing a host-based personal firewall -- ideally one with built in intrusion prevention capabilities. This is especially important for publicly accessible Web servers. If it's is not a good option for you, then consider an application layer firewall instead. The following figure shows various worm propagations, port scans, and other potential hack attempts against a plain old Web server on the Internet. It's absolutely amazing what's happening on the average Web server that you wouldn't be aware of without such protection.

Web server software

1. Run/enable IIS Lockdown for any pre-IIS version 6.0 servers you're operating (IIS 6.0 comes locked down out of the box).
2. Enable any other buffer overflow, input filtering, connection throttling and intrusion protection measures (Mod_Security for Apache and the secure TCP/IP registry settings for Windows come to mind).
3. Use any built-in security features for process isolation and other access controls (such as those built into IIS 6.0).
4. Disable dynamic content modules like ASP and WebDAV if they're not needed.
5. Use secure authentication methods when possible (such as Advanced Digest Authentication in IIS 6.0).
6. Run other publicly available lockdown scripts for IIS where possible -- such as those found here.
7. Set specific access controls on your server directories and only allow browsing and enumeration of the minimum files necessary to do the job.
8. Remove default scripts, miscellaneous files and even Front Page Extensions if they're not needed.
9. Be careful with any robots.txt files that may divulge sensitive areas of your server to an attacker.
10. Change default headers to block, obscure or mimic Web server version information. This isn't foolproof, but it is another layer of security. Port80 Software has a neat tool for IIS called ServerMask.
11. Run the Web server service using something other than IUSR_ or Local System keeping in mind any minimum requirements and local service dependencies. The following figure shows where you can configure this for Apache.

For detailed steps on hardening IIS, check out Microsoft's Windows Server 2003 Security Guide and the AttackPrevention site for some good tips and tricks. For Apache, this Center for Internet Security benchmark tool and this Web site and book have good information as well. Contact your other niche vendors for specifics on locking down their Web servers.

Now, let's take a look at the final step in this process: testing the security of your Web server.

Securing Web servers

 Home: Introduction
 Step 1: Understanding the issues
 Step 2: Installing and configuring your Web server
 Step 3: Testing your Web server

ABOUT THE AUTHOR:

Kevin Beaver, CISSP, is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com. Copyright 2006 TechTarget

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary