NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Services other than Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure<br />
(HTTPS)<br />
SOAP-style <strong>Web</strong> Services 6<br />
Protecti<strong>on</strong> of intellectual property.<br />
1.3 Audience and Assumpti<strong>on</strong>s<br />
This document, while technical in nature, provides the background informati<strong>on</strong> to help readers understand<br />
the topics that are discussed. The intended audience for this document includes the following:<br />
System engineers and architects, when designing and implementing <strong>Web</strong> servers<br />
<strong>Web</strong> and system administrators, when administering, patching, securing, or upgrading <strong>Web</strong> servers<br />
<strong>Web</strong>masters, when creating and managing <strong>Web</strong> c<strong>on</strong>tent<br />
Security c<strong>on</strong>sultants, when performing security audits to determine informati<strong>on</strong> system (IS) security<br />
postures<br />
Program managers and informati<strong>on</strong> technology (IT) security officers, to ensure that adequate security<br />
measures have been c<strong>on</strong>sidered for all phases of the system’s life cycle.<br />
This document assumes that readers have some minimal operating system, networking, and <strong>Web</strong> server<br />
expertise. Because of the c<strong>on</strong>stantly changing nature of <strong>Web</strong> server threats and vulnerabilities, readers<br />
are expected to take advantage of other resources (including those listed in this document) for more<br />
current and detailed informati<strong>on</strong>.<br />
The practices recommended in this document are designed to help mitigate the risks associated with <strong>Web</strong><br />
servers. They build <strong>on</strong> and assume the implementati<strong>on</strong> of practices described in other <str<strong>on</strong>g>NIST</str<strong>on</strong>g> guidelines<br />
listed in Appendix E.<br />
1.4 Document Structure<br />
The remainder of this document is organized into the following eight major secti<strong>on</strong>s:<br />
Secti<strong>on</strong> 2 discusses <strong>Web</strong> server security problems and presents an overview.<br />
Secti<strong>on</strong> 3 discusses the planning and management of <strong>Web</strong> servers.<br />
Secti<strong>on</strong> 4 presents an overview of securing the underlying operating system for a <strong>Web</strong> server.<br />
Secti<strong>on</strong> 5 discusses securely installing and c<strong>on</strong>figuring a <strong>Web</strong> server.<br />
Secti<strong>on</strong> 6 examines the security of <strong>Web</strong> c<strong>on</strong>tent.<br />
Secti<strong>on</strong> 7 examines popular <strong>Web</strong> authenticati<strong>on</strong> and encrypti<strong>on</strong> technologies.<br />
6<br />
<str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-95, Guide to Secure <strong>Web</strong> Services, provides insight into the risks introduced by <strong>Web</strong> services and how to<br />
mitigate them (http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
1-2