NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Is “hardened” against applicati<strong>on</strong>-level DoS attacks. Although DoS attacks are most frequently<br />
targeted at the network and transport layers, the applicati<strong>on</strong> itself can be a target. If a malicious user<br />
can m<strong>on</strong>opolize a required applicati<strong>on</strong> or system resource, legitimate users can be prevented from<br />
using the system.<br />
3.3 Management Practices<br />
Appropriate management practices are critical to operating and maintaining a secure <strong>Web</strong> server.<br />
Security practices entail the identificati<strong>on</strong> of an organizati<strong>on</strong>’s informati<strong>on</strong> system assets and the<br />
development, documentati<strong>on</strong>, and implementati<strong>on</strong> of policies, standards, procedures, and guidelines that<br />
ensure c<strong>on</strong>fidentiality, integrity, and availability of informati<strong>on</strong> system resources.<br />
To ensure the security of a <strong>Web</strong> server and the supporting network infrastructure, organizati<strong>on</strong>s should<br />
implement the following practices:<br />
Organizati<strong>on</strong>al Informati<strong>on</strong> System Security Policy—A security policy should specify the basic<br />
informati<strong>on</strong> system security tenets and rules, and their intended internal purpose. The policy should<br />
also outline who in the organizati<strong>on</strong> is resp<strong>on</strong>sible for particular areas of informati<strong>on</strong> security (e.g.,<br />
implementati<strong>on</strong>, enforcement, audit, review). The policy must be enforced c<strong>on</strong>sistently throughout<br />
the organizati<strong>on</strong> to be effective. Generally, the CIO and senior management are resp<strong>on</strong>sible for<br />
drafting the organizati<strong>on</strong>’s security policy.<br />
C<strong>on</strong>figurati<strong>on</strong>/Change C<strong>on</strong>trol and Management—The process of c<strong>on</strong>trolling modificati<strong>on</strong> to a<br />
system’s design, hardware, firmware, and software provides sufficient assurance that the system is<br />
protected against the introducti<strong>on</strong> of an improper modificati<strong>on</strong> before, during, and after system<br />
implementati<strong>on</strong>. C<strong>on</strong>figurati<strong>on</strong> c<strong>on</strong>trol leads to c<strong>on</strong>sistency with the organizati<strong>on</strong>’s informati<strong>on</strong><br />
system security policy. C<strong>on</strong>figurati<strong>on</strong> c<strong>on</strong>trol is traditi<strong>on</strong>ally overseen by a c<strong>on</strong>figurati<strong>on</strong> c<strong>on</strong>trol<br />
board that is the final authority <strong>on</strong> all proposed changes to an informati<strong>on</strong> system. If resources allow,<br />
c<strong>on</strong>sider the use of development, quality assurance, and/or test envir<strong>on</strong>ments so that changes can be<br />
vetted and tested before deployment in producti<strong>on</strong>.<br />
Risk Assessment and Management—Risk assessment is the process of analyzing and interpreting<br />
risk. It involves determining an assessment’s scope and methodology, collecting and analyzing riskrelated<br />
data, and interpreting the risk analysis results. Collecting and analyzing risk data requires<br />
identifying assets, threats, vulnerabilities, safeguards, c<strong>on</strong>sequences, and the probability of a<br />
successful attack. Risk management is the process of selecting and implementing c<strong>on</strong>trols to reduce<br />
risk to a level acceptable to the organizati<strong>on</strong>.<br />
Standardized C<strong>on</strong>figurati<strong>on</strong>s—Organizati<strong>on</strong>s should develop standardized secure c<strong>on</strong>figurati<strong>on</strong>s<br />
for widely used OSs and applicati<strong>on</strong>s. This will provide recommendati<strong>on</strong>s to <strong>Web</strong> server and<br />
network administrators <strong>on</strong> how to c<strong>on</strong>figure their systems securely and ensure c<strong>on</strong>sistency and<br />
compliance with the organizati<strong>on</strong>al security policy. Because it <strong>on</strong>ly takes <strong>on</strong>e insecurely c<strong>on</strong>figured<br />
host to compromise a network, organizati<strong>on</strong>s with a significant number of hosts are especially<br />
encouraged to apply this recommendati<strong>on</strong>.<br />
Secure Programming Practices—Organizati<strong>on</strong>s should adopt secure applicati<strong>on</strong> development<br />
guidelines to ensure that they develop their <strong>Web</strong> applicati<strong>on</strong>s in a sufficiently secure manner.<br />
Security Awareness and Training—A security training program is critical to the overall security<br />
posture of an organizati<strong>on</strong>. Making users and administrators aware of their security resp<strong>on</strong>sibilities<br />
and teaching the correct practices helps them change their behavior to c<strong>on</strong>form to security best<br />
3-6