NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS Completed Test system to ensure security Reconnect system to network Action Monitor system and network for signs that the attacker is attempting to access the system or network again Document lessons learned Test security Periodically conduct vulnerability scans on Web server, dynamically generated content, and supporting network Update vulnerability scanner prior to testing Correct any deficiencies identified by the vulnerability scanner Conduct penetration testing on the Web server and the supporting network infrastructure Correct deficiencies identified by penetration testing Conduct remote administration and content updates Use a strong authentication mechanism (e.g., public/private key pair, two-factor authentication) Restrict hosts that can be used to remotely administer or update content on the Web server by IP address and to the internal network Use secure protocols (e.g., SSH, HTTPS) Enforce the concept of least privilege on remote administration and content updating (e.g., attempt to minimize the access rights for the remote administration/update accounts) Change any default accounts or passwords from the remote administration utility or application Do not allow remote administration from the Internet unless mechanisms such as VPNs are used Do not mount any file shares on the internal network from the Web server or vice versa E-9
GUIDELINES ON SECURING PUBLIC WEB SERVERS Appendix F—Acronym List 3DES ACL ADA AES AIRWeb AJAX API APWG ARP ASCII ASP CA CAPTCHA CD-R CERIAS CERT/CC CIAC CIO CGI CLF CMVP CN CPU CSR DDoS DES DHS DMZ DN DNS DoD DoS DSS FIPS FISMA FOIA FTC FTP GUI HTCP HTML HTTP HTTPS Triple Data Encryption Standard Access Control List American Disability Association Advanced Encryption Standard Adversarial Information Retrieval on the Web Asynchronous JavaScript and XML Application Programming Interface Anti-Phishing Working Group Address Resolution Protocol American Standard Code of Information Interchange Active Server Page Certificate Authority Completely Automated Public Turing Test to Tell Computers and Humans Apart Compact Disc Recordable Center for Education and Research in Information Assurance and Security Computer Emergency Response Team Coordination Center Computer Incident Advisory Capability (U.S. Department of Energy) Chief Information Officer Common Gateway Interface Common Log Format Cryptographic Module Validation Program Common Name Central Processing Unit Certificate-Signing Request Distributed Denial of Service Data Encryption Standard Department of Homeland Security Demilitarized Zone Domain Name Domain Name System Department of Defense Denial of Service Digital Signature Standard Federal Information Processing Standard Federal Information Security Management Act Freedom of Information Act Federal Trade Commission File Transfer Protocol Graphical User Interface Hypertext Caching Protocol Hypertext Markup Language Hypertext Transfer Protocol Hypertext Transfer Protocol Secure F-1
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86: GUIDELINES ON SECURING PUBLIC WEB S
Page 135: GUIDELINES ON SECURING PUBLIC WEB S
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?