Networking / Beginners

Web Security

When considering Web-based security for a network, knowledge of the entire Internet and the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack is a must. This tutorial looks at Web-based security and topics including server and browser security, exploits,Web technologies such as ActiveX, JavaScript, and CGI, and much more.

Web Server Lockdown

Web server(s) store all of the Hypertext Markup Language (HTML), Dynamic Hypertext Markup Language (DHTML),Application Service Provider (ASP), and eXtensible Markup Language (XML) documents, graphics, sounds, and other files that make up Web pages. In some cases, it may also contain other data that a business does not want to share over the Internet. For example, small businesses often have a single physical server that performs all server functions for the organization, including Web services. A dedicated Web server, however, can serve as a pathway into the internal network unless security is properly configured.Thus, it is vital that Web servers be secure.

NOTE The most popular types of Web server software include Apache (which can be run on Linux/Unix machines, Windows, and Apple computers), and Microsoft's Internet Information Services (IIS) (which is built into Windows server products as well as Windows XP and Vista operating systems [OSes]), Zeus Web Server, and Sun Java Web Server. According to Netcraft's Web Server Survey for December 2006 (www.news.netcraft.com/archives/web_server_survey.html), Apache ran on 60.32 percent of Web Servers, IIS ran on 31.04 percent, Sun ran on 1.68 percent and Zeus ran on 0.51 percent.

Locking down a Web server follows a path that begins in a way that should already be familiar: applying the latest patches and updates from the vendor. Once this task is accomplished, the network administrator should follow the vendor's recommendations for configuring Web services securely.The following sections discuss typical recommendations made by Web server vendors and security professionals, including:

  • Managing access control
  • Handling directory and data structures
  • Eliminating scripting vulnerabilities
  • Logging activity
  • Performing backups
  • Maintaining integrity
  • Finding rogue Web servers
  • Stopping browser exploits
[Contents] [Next]