Networking / Beginners

Web Server

The following sets of configuration guidelines are broad enough to address basic elements of web servers. Specific configuration templates for IIS, Apache, and Netscape to be used as a starting point for your organization can be found on the NSA web site (http://www.nsa.gov/snac/). Another good document is the NIST guidelines at http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf.

General Web Server Guidelines

  • Ensure that the version of the web service is current and all relevant security patches have been applied.
  • Consider placing static content on read-only media or using a software package that monitors web site content for changes to help guard against web site defacement.
  • Remove any default files or CGI scripts.
  • Ensure that web administration services (interfaces, logs, and directories) are removed or restricted properly.
  • Ensure that all server-side web applications do proper checking of user data.
  • If possible, consider running the web service in a chroot environment (Unix).
  • Do not run web services as a superuser/Administrator.
  • Do run web services as unprivileged users.
  • Ensure that SSL is properly used on all sites containing sensitive information (including user login pages).
  • Ensure that the content of files with common development file extensions (such as .bak or .inc) isn't served.

Apache

  • Change the banner by editing httpd.h and modifying the SERVER_BASEPRODUCT, SERVER_BASEVENDOR, and SERVER_BASEREVISION values, or use a filter to strip the information.
  • Ensure that at a minimum TransferLog and ErrorLog configuration directives have been set for every site. Also ensure that the CustomLog, LogLevel, and LogFormat directions have been properly specified.
  • Remove any unnecessary modules.
  • Disable directory listing by removing "Indexes" from any Options lines in the configuration file.
  • Do not use .htaccess and .htpasswd files if possible. Instead, specify authentication in the configuration file and store password files outside the web root.
  • Remove any default site content files such as the Apache manual.
  • Disable any server-side scripting such as PHP, JSP, and CGI if not needed.
  • Ensure that any site is set up on a separate nonsystem volume.

Microsoft IIS

  1. Ensure that all the latest OS and IIS patches have been applied. Use hfnetchk or the Microsoft Baseline Security Analyzer to ensure that the correct level of patching has been completed.
  2. Ensure that all nonrequired IIS services such as SMTP and FTP are disabled.
  3. Use the IIS lockdown tool from Microsoft.
  4. Utilize urlscan from Microsoft.
  5. Ensure that extensive logging is enabled.
  6. Remove or disable the default web site and the administrative web site through the MMC. Always start with a new blank site, and never place the site on the system volume.
  7. Remove all default site and sample files from the hard drive.
  8. Disable Microsoft FrontPage Extensions.
  9. Remove any nonessential ISAPI filters. Typically, the .htr, .printer, .idq,ida, and .idc filters are not needed.
  10. Remove any nonessential virtual directories, and ensure that permissions have been correctly applied for required virtual directories.
  11. If authentication is required, disable unnecessary authentication methods. When possible, use NTLM and client certificates for authentication.
  12. Ensure that web sites are created on nonsystem volumes.
[Previous] [Contents] [Next]