NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
9. Administering the <strong>Web</strong> Server<br />
After initially deploying a <strong>Web</strong> server, administrators need to maintain its security c<strong>on</strong>tinuously. This<br />
secti<strong>on</strong> provides general recommendati<strong>on</strong>s for securely administering <strong>Web</strong> servers. Vital activities<br />
include handling and analyzing log files, performing regular <strong>Web</strong> server backups, recovering from <strong>Web</strong><br />
server compromises, testing <strong>Web</strong> server security regularly, and performing remote administrati<strong>on</strong><br />
securely.<br />
9.1 Logging<br />
Logging is a cornerst<strong>on</strong>e of a sound security posture. Capturing the correct data in the logs and then<br />
m<strong>on</strong>itoring those logs closely is vital. 72 Network and system logs are important, especially system logs in<br />
the case of HTTPS-protected communicati<strong>on</strong>s, where network m<strong>on</strong>itoring is less effective. <strong>Web</strong> server<br />
software can provide additi<strong>on</strong>al log data relevant to <strong>Web</strong>-specific events. Similarly, <strong>Web</strong> applicati<strong>on</strong>s<br />
may also maintain their own logs of acti<strong>on</strong>s.<br />
Reviewing logs is mundane and reactive, and many <strong>Web</strong> server administrators devote their time to<br />
performing duties that they c<strong>on</strong>sider more important or urgent. However, log files are often the <strong>on</strong>ly<br />
record of suspicious behavior. Enabling the mechanisms to log informati<strong>on</strong> allows the logs to be used to<br />
detect failed and successful intrusi<strong>on</strong> attempts and to initiate alert mechanisms when further investigati<strong>on</strong><br />
is needed. Procedures and tools need to be in place to process and analyze the log files and to review alert<br />
notificati<strong>on</strong>s.<br />
<strong>Web</strong> server logs provide—<br />
Alerts to suspicious activities that require further investigati<strong>on</strong><br />
Tracking of an attacker’s activities<br />
Assistance in the recovery of the system<br />
Assistance in post-event investigati<strong>on</strong><br />
Required informati<strong>on</strong> for legal proceedings.<br />
The selecti<strong>on</strong> and implementati<strong>on</strong> of specific <strong>Web</strong> server software determines which set of detailed<br />
instructi<strong>on</strong>s (presented below) the <strong>Web</strong> server administrator should follow to establish logging<br />
c<strong>on</strong>figurati<strong>on</strong>s. Some of the informati<strong>on</strong> c<strong>on</strong>tained in the steps below may not be fully applicable to all<br />
manufacturers’ <strong>Web</strong> server software products.<br />
9.1.1 Identifying the Logging Capabilities of a <strong>Web</strong> Server<br />
Each type of <strong>Web</strong> server software supports different logging capabilities. Depending <strong>on</strong> the <strong>Web</strong> server<br />
software used, <strong>on</strong>e or more of the following logs may be available [Alle00]:<br />
Transfer Log—Each transfer is represented as <strong>on</strong>e entry showing the main informati<strong>on</strong> related to the<br />
transfer.<br />
72<br />
For more informati<strong>on</strong> <strong>on</strong> logging, see <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-92, Guide to Computer Security Log Management, which is available at<br />
http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/.<br />
9-1