NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS 3.2.1 Senior IT Management/Chief Information Officer The Senior IT Management/Chief Information Officer (CIO) ensures that the organization’s security posture is adequate. The Senior IT Management provides direction and advisory services for the protection of information systems for the entire organization. The Senior IT Management/CIO is responsible for the following activities associated with Web servers: Coordinating the development and maintenance of the organization’s information security policies, standards, and procedures Coordinating the development and maintenance of the organization’s change control and management procedures Ensuring the establishment of, and compliance with, consistent IT security policies for departments throughout the organization Coordinating with upper management, public affairs, and other relevant personnel to produce a formal policy and process for publishing information to Web sites and ensuring this policy is enforced. 3.2.2 Information Systems Security Program Managers The Information Systems Security Program Managers (ISSPM) oversee the implementation of and compliance with the standards, rules, and regulations specified in the organization’s security policy. The ISSPMs are responsible for the following activities associated with Web servers: Ensuring that security procedures are developed and implemented Ensuring that security policies, standards, and requirements are followed Ensuring that all critical systems are identified and that contingency planning, disaster recovery plans, and continuity of operations plans exist for these critical systems Ensuring that critical systems are identified and scheduled for periodic security testing according to the security policy requirements of each respective system. 3.2.3 Information Systems Security Officers Information Systems Security Officers (ISSO) are responsible for overseeing all aspects of information security within a specific organizational entity. They ensure that the organization’s information security practices comply with organizational and departmental policies, standards, and procedures. ISSOs are responsible for the following activities associated with Web servers: Developing internal security standards and procedures for the Web server(s) and supporting network infrastructure Cooperating in the development and implementation of security tools, mechanisms, and mitigation techniques Maintaining standard configuration profiles of the Web servers and supporting network infrastructure controlled by the organization, including, but not limited to, OSs, firewalls, routers, and Web server applications 3-4
GUIDELINES ON SECURING PUBLIC WEB SERVERS Maintaining operational integrity of systems by conducting security tests and ensuring that designated IT professionals are conducting scheduled testing on critical systems. 3.2.4 Web Server and Network Administrators Web server administrators are system architects responsible for the overall design, implementation, and maintenance of a Web server. Network administrators are responsible for the overall design, implementation, and maintenance of a network. On a daily basis, Web server and network administrators contend with the security requirements of the specific system(s) for which they are responsible. Security issues and solutions can originate from either outside (e.g., security patches and fixes from the manufacturer or computer security incident response teams) or within the organization (e.g., the security office). The administrators are responsible for the following activities associated with Web servers: Installing and configuring systems in compliance with the organizational security policies and standard system and network configurations Maintaining systems in a secure manner, including frequent backups and timely application of patches Monitoring system integrity, protection levels, and security-related events Following up on detected security anomalies associated with their information system resources Conducting security tests as required. 3.2.5 Web Application Developers Web application developers are responsible for the look, functionality, performance, and security of the Web content and Web-based applications they create. As mentioned in Section 2, threats are increasingly directed at applications instead of the underlying Web server software and OSs. Unless Web application developers ensure that their code takes security into consideration, the Web server’s security will be weak no matter how well the server itself and the supporting infrastructure are secured. Web application developers should ensure the applications they implement have the following characteristics: Supports a secure authentication, authorization, and access control mechanism as required. Performs input validation so that the application’s security mechanisms cannot be bypassed when a malicious user tampers with data he or she sends to the application, including HTTP requests, headers, query strings, cookies, form fields, and hidden fields. Processes errors in a secure manner so as not to lead to exposure of sensitive implementation information. Protects sensitive information processed and/or stored by the application. Inadequate protection can allow data tampering and access to confidential information such as usernames, passwords, and credit card numbers. Maintains its own application-specific logs. In many instances, Web server logging is not sufficient to track what a user does at the application level, requiring the application to maintain its own logs. Insufficient logging details can lead to a lack of knowledge about possible intrusions and an inability to verify a user’s actions (both legitimate and malicious). 3-5
Page 1 and 2: Special Publication 800</st
Page 3 and 4: GUIDELINES ON SECURING PUBLIC WEB S
Page 23: GUIDELINES ON SECURING PUBLIC WEB S
Page 75 and 76:
GUIDELINES ON SECURING PUBLIC WEB S
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?