NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS 9. Administering the Web Server After initially deploying a Web server, administrators need to maintain its security continuously. This section provides general recommendations for securely administering Web servers. Vital activities include handling and analyzing log files, performing regular Web server backups, recovering from Web server compromises, testing Web server security regularly, and performing remote administration securely. 9.1 Logging Logging is a cornerstone of a sound security posture. Capturing the correct data in the logs and then monitoring those logs closely is vital. 72 Network and system logs are important, especially system logs in the case of HTTPS-protected communications, where network monitoring is less effective. Web server software can provide additional log data relevant to Web-specific events. Similarly, Web applications may also maintain their own logs of actions. Reviewing logs is mundane and reactive, and many Web server administrators devote their time to performing duties that they consider more important or urgent. However, log files are often the only record of suspicious behavior. Enabling the mechanisms to log information allows the logs to be used to detect failed and successful intrusion attempts and to initiate alert mechanisms when further investigation is needed. Procedures and tools need to be in place to process and analyze the log files and to review alert notifications. Web server logs provide— Alerts to suspicious activities that require further investigation Tracking of an attacker’s activities Assistance in the recovery of the system Assistance in post-event investigation Required information for legal proceedings. The selection and implementation of specific Web server software determines which set of detailed instructions (presented below) the Web server administrator should follow to establish logging configurations. Some of the information contained in the steps below may not be fully applicable to all manufacturers’ Web server software products. 9.1.1 Identifying the Logging Capabilities of a Web Server Each type of Web server software supports different logging capabilities. Depending on the Web server software used, one or more of the following logs may be available [Alle00]: Transfer Log—Each transfer is represented as one entry showing the main information related to the transfer. 72 For more information on logging, see <strong>NIST</strong> SP <strong>800</strong>-92, Guide to Computer Security Log Management, which is available at http://csrc.nist.gov/publications/nistpubs/. 9-1
GUIDELINES ON SECURING PUBLIC WEB SERVERS Error Log—Each error is represented as one entry, including an explanation of the reason for this error report. Agent Log—This log contains information about the user client software used to access Web content. Referrer Log—This log collects information relevant to HTTP access. This includes the URL of the page that contained the link that the user client software followed to initiate access to the Web page. Most Web servers support the Transfer Log, and it is usually considered the most important. Several log formats are available for Transfer Log entries. Typically, the information is presented in plain American Standard Code for Information Interchange (ASCII) without special delimiters to separate the different fields [Alle00]: Common Log Format (CLF)—This format stores information related to one transfer (Transfer Log) in the following order: • Remote host • Remote user identity in accordance with RFC 1413 73 • Authenticated user in accordance with the basic authentication scheme (see Section 7.3) • Date • URL requested • Status of the request • Number of bytes actually transferred. Combined Log Format—This format contains the same seven fields above. It also provides information normally stored in the Agent Log and the Referrer Log, along with the actual transfer. Keeping this information in a consolidated log format may support more effective administration. Extended Log Format—This format provides a way to describe all items that should be collected within the log file. The first two lines of the log file contain the version and the fields to be collected, and they appear in the log file as follows: #<strong>Version</strong>: 1.0 #Fields: date time c-ip sc-bytes time-taken cs-version 1999-08-01 02:10:57 192.0.0.2 6340 3 HTTP/1.0 This example contains the date, time, originating address, number of bytes transmitted, time taken for transmission, and HTTP version. Other Log File Formats—Some server software provides log information in different file formats, such as database formats or delimiter-separated formats. Other server software provides the 73 See the IETF Web site: http://www.ietf.org/rfc/rfc1413.txt. 9-2
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50: GUIDELINES ON SECURING PUBLIC WEB S
Page 99: GUIDELINES ON SECURING PUBLIC WEB S
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?