SECURITY OF PUBLIC WEB SERVERS

Shirley Radack, Editor

Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

 

Many organizations in industry, government, and academia use the Internet to publish and exchange information, serve their customers and the public, and conduct electronic transactions. The web server is the essential system component for providing these functions. The web browser is the corresponding software application on the user’s computer. It accesses the information that is stored on web servers and displays it for the user. Both web servers and web browsers are vulnerable to malicious intruders, who can break into public websites, destroy or change information, and disrupt operations.

 

The National Institute of Standards and Technology (NIST) recently issued NIST Special Publication (SP) 800-44, Guidelines on Securing Public Web Servers, by Miles Tracy, Wayne Jansen, and Mark McLarnon, to help federal agencies improve the secure design, implementation, and operation of their web servers. These new guidelines complement NIST Special Publication 800-46, Security for Telecommuting and Broadband Communications, which provides information for improved security of web browsers. Both publications were developed for the federal community, but should be useful to individuals, the private sector, and other public sector organizations. 

 

NIST SP 800-44 describes secure practices for the installation and configuration of operating systems and web server software, and explains the use of devices such as firewalls, routers, switches, and intrusion detection systems to protect web servers. The publication also covers secure maintenance procedures and strategies for protecting information. The appendices provide details on the secure use of two popular web server applications: Apache Web Server and Microsoft Internet Information Server (IIS). Also included in the appendices are references available in print and electronic format, listings of web security resources, tools and applications, and useful checklists for web server security. Both NIST SP 800-44 and NIST SP 800-46 are available in electronic format from the NIST website: http://csrc.nist.gov/publications/nistpubs/index.html.

 

ITL’s November 2002 bulletin summarized the recommendations and guidance in NIST SP 800-46.  This and other bulletins issued by ITL are available at:

http://csrc.nist.gov/publications/nistbul/index.html.

 

The Vulnerabilities of Web Servers

 

Because web servers are one of the few system components on a target network that typically communicates with untrusted third parties, they are frequently the targets of malicious attacks by intruders. Intruders can easily launch automated attacks against thousands of systems simultaneously to identify the relatively few vulnerable systems.  New attacks can be set up and launched quickly from remote locations, foiling attempts by organizations to develop effective countermeasures. Once web servers have been compromised, the organization’s other network resources are at greater risk. Intrusions can be very costly to the organization in terms of money, time, and damage to reputation. The confidentiality and/or integrity of the stored data can be jeopardized. Availability may also be affected, making the information on the organization’s website effectively unobtainable. In addition, a compromised web server could be used to distribute illegally copied software, attack tools, and pornography or as a base from which to attack other networks, possibly exposing the organization to legal liability. 

 

With good planning and rigorous implementation of secure configurations and operational procedures, organizations can operate successful websites while protecting their networks and information resources. 

 

What Can Be Done To Protect Web Servers

 

Organizations need a security plan and a policy for implementing the plan, monitoring its effectiveness, and updating it. All those involved with or affected by the information processing systems have a role in protecting the security and the privacy of information assets. Security plans should include an overview of the security requirements of the system, the controls needed to meet those requirements, and the responsibilities of all individuals who access the system. With this basic planning as the foundation for secure systems, organizations should apply the following specific recommendations to improve the security of their web servers:

 

·        Plan carefully and address the security aspects of deployment of web servers.

 

Careful planning is essential before the installation, configuration, and deployment of web servers. It is more difficult to address security issues once deployment and implementation have been completed. A detailed and well-designed deployment plan facilitates the organization’s decisions about tradeoffs between usability, performance, and risks. A deployment plan makes it possible to maintain secure configurations and to identify security vulnerabilities. The deployment plan should address:

 

·        The purpose of the web server, the information to be stored on or processed through the server, and the security requirements of the information and of related systems, networks, and services; and

·        The human resource requirements for the deployment and operational phases of web servers and their supporting infrastructures, including the types of personnel, their skills and training, and levels of effort required.

 

·        Implement appropriate security management practices and controls to maintain and operate a secure website.

 

Appropriate management practices are critical to operating and maintaining secure web servers. Organizations should identify their information system assets and determine the policies, standards, procedures, and guidelines that are needed to support the confidentiality, integrity, and availability of information system resources. All management controls that are required to protect information system assets should be developed, documented, and implemented.

 

NIST recommends that organizations apply the following practices to ensure the security of web servers and their supporting network infrastructure:

 

·        An organization-wide information system security policy;

·        Configuration/change control and management;

·        Risk assessment and management;

·        Standardized software configurations that satisfy the information system security policy;

·        Security awareness and training;

·        Contingency planning, continuity of operations, and disaster recovery;

·        Certification and accreditation; and

·        Incident response policy and procedures.

 

·        Deploy, configure, and manage web server operating systems to meet the security requirements of the organization.

 

The first step in securing a web server is securing the underlying operating system. Most commonly available web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems supporting the web servers are configured appropriately. The default hardware and software configurations of web servers may be set by vendors to emphasize features, functions, and ease of use, rather than the security of the system. Since each organization’s security requirements are very different, web administrators should configure new servers to reflect their organization’s security requirements. When these requirements change, the web servers should be reconfigured. The steps needed to secure the operating system include:

 

·        Patch and upgrade the operating system.

·        Remove or disable unnecessary services and applications.

·        Configure operating system user authentication.

·        Configure resource controls.

·        Test the security of the operating system.

 

·        Web server applications should be deployed, configured, and managed to meet the security requirements of the organization.

 

In many respects, the requirements for secure installation and configuration of web server applications are the same as for the operating systems. First and foremost, only the minimal and necessary portion of web server services should be installed. If vulnerabilities are identified, they should be eliminated through patches or upgrades.  Unnecessary applications, services, and scripts should be removed immediately after the installation process has been completed. The steps that should be taken to secure the web server application include:

 

·        Patch and upgrade the web server application.

·        Remove or disable unnecessary services, applications, and sample content.

·        Configure web server user authentication.

·        Configure web server resource controls.

·        Test the security of the web server application and web content.

 

·        Ensure that only appropriate content is published on the website and that the content is adequately protected from unauthorized alteration.

 

Organizations should develop a web publishing process or a policy that determines what information may be published openly, what information may be published with restricted access, and what information should not be published in any publicly accessible repository. Websites are vulnerable to individuals who mine an organization’s website in search of valuable information. In general, the following kinds of information should be carefully examined and reviewed before publication on a public website:

 

·        Classified information

·        Proprietary information

·        Information on the composition or preparation of hazardous materials or toxins

·        Sensitive information relating to homeland security

·        Detailed physical and information security safeguards

·        Details about network and information system infrastructure (e.g., address ranges, naming conventions, access numbers)

·        Information that specifies or implies physical security vulnerabilities

·        Detailed plans, maps, diagrams, aerial photographs, and architectural drawings of organizational buildings, properties, or installations.

 

·        Take appropriate steps to protect web content from unauthorized access or modification.

 

Organizations should control the information that is made available on public websites through their publishing processes or policies. Websites should be protected to assure that the information is not modified without authorization. Users rely on the integrity of the information made available to them. Because the information on public websites is easily accessible, it is more vulnerable to tampering and change than the information that is made available by the organization in other ways. Public web content must be protected through the appropriate configuration of web server resource controls. Some of the resource control practices that should be applied include:

 

·        Install or enable only necessary services.

·        Install web content on a dedicated hard drive or logical partition.

·        Limit uploads to directories that are not readable by the web server.

·        Define a single directory for all external scripts or programs executed as part of web content.

·        Disable the use of hard or symbolic links.

·        Define a complete web content access matrix to identify the folders and files within the web server document directory that are restricted and those that are accessible. People who have access to both the restricted and accessible folders and files should be identified.

·        Disable directory listings.

·        Use user authentication, digital signatures, and other cryptographic mechanisms as appropriate.

·        Use host-based intrusion detection systems and/or file integrity checkers to detect intrusions and verify web content.

 

·        Active content should be used only after careful consideration of the benefits to be gained and the associated risks.

 

Interactive elements, supported by technologies such as ActiveX, Java, VBScript, and JavaScript, enable users to interact with websites in new ways. No longer confined just to accessing text-based documents, users can carry out a wide range of applications. These interactive elements introduce new web-related vulnerabilities since they involve moving code from a web server to a client application for execution. Users are at risk because active content can take actions on the user’s computer without the permission or knowledge of the user. Content generation technologies on the web server pose a similar risk because, when accepting input from users, they may be induced to take actions that could harm the server. One such risk is accepting large amounts of information that can overflow buffers and be used to execute commands or gain unauthorized access to the web server. All content must be protected, and close attention should be given to proper programming of browsers and servers. The different active content technologies have different vulnerabilities associated with them, and all must be carefully considered to balance benefits and risks.

 

·        Authentication and cryptographic technologies should be used appropriately to protect certain types of sensitive data.

 

Organizations should examine all of the information available on their public web servers and determine their requirements to protect the integrity and confidentiality of that information. Web servers can support a range of authentication and encryption technologies, which can be used to identify and authenticate users with different privileges for accessing information. Using appropriate user authentication techniques, organizations can selectively restrict access to specific information. Otherwise, all information on a public web server could be accessed by anyone with access to the server. Certain user authentication processes protect the user as well by enabling the user to verify the server being accessed is the “authentic” web server and not a counterfeit version operated by a malicious entity.

 

Technologies based on cryptographic functions can provide an encrypted channel between a web browser client and a web server that supports encryption. Web servers may be configured to use different cryptographic algorithms, providing varying levels of security and performance.

 

·        Use the network infrastructure to help protect public web servers.

 

The network infrastructure that supports the web server plays a significant role in the security of the web server. With careful configuration and deployment, the network infrastructure can be used to protect the public web server. Network design is influenced by factors such as cost, performance, and reliability, as well as by security. But network design alone cannot protect a web server. The frequency, sophistication, and variety of web attacks carried out today reinforce the need for layered and diverse defense mechanisms. Some of these defense-in-depth mechanisms include selection of a relatively safe network on which the public web server will be located and configuration of the network to support and protect the web server.

 

·        An ongoing process must be used to maintain the continued security of public web servers.

 

Maintaining a secure web server requires constant effort, resources, and vigilance. After a web server has been deployed, web administrators must monitor it on a daily basis to assure the continuing level of security. The following steps are essential to maintaining the security of a web server:

·        Configuring, protecting, and analyzing log files;

·        Backing up critical information frequently;

·        Maintaining a protected authoritative copy of the organization’s web content;

·        Establishing and following procedures for recovering from compromise;

·        Testing and applying patches in a timely manner; and

·        Testing security periodically.

 

Summary

 

Organizations and users benefit when access to public web servers is safe and convenient and when the organization’s electronic information resources are secure, reliable, and available. As is the case with all other aspects of remote access to organizational resources, the use of public web servers entails risks as well as benefits. These risks and benefits must be managed through careful planning and through implementation of guidelines for secure operation of public web servers. 

 

SUPPLEMENTAL INFORMATION

 

Under the Computer Security Act of 1987 (P.L. 100-235), the Computer Security Division of the Information Technology Laboratory (ITL) develops computer security prototypes, tests, standards, and procedures to protect sensitive information from unauthorized access or modification. Focus areas include cryptographic technology and applications, advanced authentication, public key infrastructure, network security, criteria and assurance, and security management and support.

 

NIST issues publications covering research, guidance, standards, and the results of collaborative outreach efforts with industry, government, and academic organizations.  NIST publications dealing with information security topics, including archived copies of bulletins, are available in electronic format from the NIST Computer Security Resource Center at: http://csrc.nist.gov/publications/.

.

Reference List

 

NIST Special Publications provide guidance and help organizations establish a foundation for good security practices.  Some of these publications are:   

 

NIST Special Publication 800-3, Establishing a Computer Security Incident Response

Capability, November 1991

 

NIST Special Publication 800-18, Guide for Developing Security Plans for

Information Technology Systems, December 1998

 

NIST Special Publication 800-26, Security Self-Assessment Guide for Information

Technology Systems, November 2001

 

NIST Special Publication 800-27, Engineering Principles for Information Technology

Security, June 2001

 

NIST Special Publication 800-28, Guidelines on Active Content and Mobile Code, October 2001

 

NIST Special Publication, 800-31, Intrusion Detection Systems (IDS), November 2001

 

NIST Special Publication 800-32, Introduction to Public Key Technology and the

Federal PKI Infrastructure, February 2001

 

NIST Special Publication 800-33, Underlying Technical Models for Information Technology Security, December 2001

 

NIST Special Publication 800-34, Contingency Planning Guide for Information

Technology Systems, June 2002

 

NIST Special Publication 800-40, Procedures for Handling Security Patches, September 2002

 

NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy, January

2002

 

NIST Special Publication 800-42, Guideline on Network Security Testing, draft

 

NIST Special Publication 800-43, Guide to Securing Windows 2000 Professional, November 2002

 

NIST Special Publication 800-44, Guidelines on Securing Public Web Servers, September 2002

 

NIST Special Publication 800-45, Guidelines on Electronic Mail Security, September 2002

 

NIST Special Publication 800-46, Security for Telecommuting and Broadband

Communications, September 2002

 

NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems, September 2002

 

NIST Special Publication 800-48, Wireless Network Security:  802.11, Bluetooth, and Handheld Devices, November 2002

 

NIST Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002

 

NIST Special Publication 800-52, Guidelines for the Selection and Use of Transport

Layer Security Implementations, draft.

 

Disclaimer
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.