NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS development, documentation, and implementation of policies, standards, procedures, and guidelines that help to ensure the confidentiality, integrity, and availability of information system resources. To ensure the security of a Web server and the supporting network infrastructure, the following practices should be implemented: Organization-wide information system security policy Configuration/change control and management Risk assessment and management Standardized software configurations that satisfy the information system security policy Security awareness and training Contingency planning, continuity of operations, and disaster recovery planning Certification and accreditation. Organizations should ensure that Web server operating systems are deployed, configured, and managed to meet the security requirements of the organization. The first step in securing a Web server is securing the underlying operating system. Most commonly available Web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying Web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use, at the expense of security. Because manufacturers are not aware of each organization’s security needs, each Web server administrator must configure new servers to reflect their organization’s security requirements and reconfigure them as those requirements change. Using security configuration guides or checklists can assist administrators in securing systems consistently and efficiently. Securing an operating system initially would generally include the following steps: Patch and upgrade the operating system Remove or disable unnecessary services and applications Configure operating system user authentication Configure resource controls Install and configure additional security controls Perform security testing of the operating system. Organizations should ensure that the Web server application is deployed, configured, and managed to meet the security requirements of the organization. In many respects, the secure installation and configuration of the Web server application will mirror the operating system process discussed above. The overarching principle is to install the minimal amount of Web server services required and eliminate any known vulnerabilities through patches or upgrades. If the installation program installs any unnecessary applications, services, or scripts, they should be removed ES-3
GUIDELINES ON SECURING PUBLIC WEB SERVERS immediately after the installation process concludes. Securing the Web server application would generally include the following steps: Patch and upgrade the Web server application Remove or disable unnecessary services, applications, and sample content Configure Web server user authentication and access controls Configure Web server resource controls Test the security of the Web server application and Web content. Organizations should take steps to ensure that only appropriate content is published on a Web site. Many agencies lack a Web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access, and what information should not be published to any publicly accessible repository. This is unfortunate because Web sites are often one of the first places that malicious entities search for valuable information. Some generally accepted examples of what should not be published or at least should be carefully examined and reviewed before publication on a public Web site include— Classified or proprietary information Information on the composition or preparation of hazardous materials or toxins 2 Sensitive information relating to homeland security Medical records An organization’s detailed physical and information security safeguards Details about an organization’s network and information system infrastructure (e.g., address ranges, naming conventions, access numbers) Information that specifies or implies physical security vulnerabilities Detailed plans, maps, diagrams, aerial photographs, and architectural drawings of organizational buildings, properties, or installations Any sensitive information about individuals, such as personally identifiable information (PII), that might be subject to either Federal, state or, in some instances, international privacy laws. 3 Organizations should ensure appropriate steps are taken to protect Web content from unauthorized access or modification. 2 3 For more guidance on protecting this type of information, see the White House Memorandum dated March 19, 2000, Action to Safeguard Information Regarding Weapons of Mass Destruction and Other Sensitive Documents Related to Homeland Security (http://www.usdoj.gov/oip/foiapost/2002foiapost10.htm). For more guidance on protecting this type of information, see OMB Memorandum M-06-16 and OMB Memorandum M-07- 16 at http://www.whitehouse.gov/omb/memoranda/. ES-4
Page 1 and 2: Special Publication 800</st
Page 3 and 4: GUIDELINES ON SECURING PUBLIC WEB S
Page 9: GUIDELINES ON SECURING PUBLIC WEB S
Page 61 and 62:
GUIDELINES ON SECURING PUBLIC WEB S
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?