NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS Completed Action Identify appropriate physical security mechanisms Identify appropriate availability mechanisms Choose appropriate OS for Web server Minimal exposure to vulnerabilities Ability to restrict administrative or root level activities to authorized users only Ability to control access to data on the server Ability to disable unnecessary network services that may be built into the OS or server software Ability to control access to various forms of executable programs, such as CGI scripts and server plug-ins Ability to log appropriate server activities to detect intrusions and attempted intrusions Provision of a host-based firewall capability Availability of experienced staff to install, configure, secure, and maintain OS Choose appropriate platform for Web server General purpose OS Trusted OS Web server appliance Pre-hardened OS and Web server Virtualized platform 3-14
GUIDELINES ON SECURING PUBLIC WEB SERVERS 4. Securing the Web Server Operating System Protecting a Web server from compromise involves hardening the underlying OS, the Web server application, and the network to prevent malicious entities from directly attacking the Web server. The first step in securing a Web server, hardening the underlying OS, is discussed at length in this section. (Securing the Web server application and the network are addressed in Sections 5 and 8, respectively.) All commonly available Web servers operate on a general-purpose OS. Many security issues can be avoided if the OSs underlying the Web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use, at the expense of security. Because manufacturers are unaware of each organization’s security needs, each Web server administrator must configure new servers to reflect their organization’s security requirements and reconfigure them as those requirements change. The practices recommended here are designed to help Web server administrators configure and deploy Web servers that satisfy their organizations’ security requirements. Web server administrators managing existing Web servers should confirm that their systems address the issues discussed. The techniques for hardening different OSs vary greatly; therefore, this section includes the generic procedures common in securing most OSs. Security configuration guides and checklists for many OSs are publicly available; these documents typically contain recommendations for settings that improve the default level of security, and they may also contain step-by-step instructions for securing systems. 16 In addition, many organizations maintain their own guidelines specific to their requirements. Some automated tools also exist for hardening OSs, and their use is strongly recommended (see Appendix D). Five basic steps are necessary to maintain basic OS security: Planning the installation and deployment of the host OS and other components for the Web server Patching and updating the host OS as required Hardening and configuring the host OS to address security adequately Installing and configuring additional security controls, if needed Testing the host OS to ensure that the previous four steps adequately addressed all security issues. The first step is discussed in Section 3. The other steps are covered in Sections 4.1 and 4.2. 4.1 Installing and Configuring the Operating System This section provides an overview of the second, third, and fourth steps in the list above. The combined result of these steps should be a reasonable level of protection for the Web server’s OS. 4.1.1 Patch and Upgrade Operating System Once an OS is installed, applying needed patches or upgrades to correct for known vulnerabilities is essential. Any known vulnerabilities an OS has should be corrected before using it to host a Web server 16 Checklists and implementation guides for various operating systems and applications are available from <strong>NIST</strong> at http://checklists.nist.gov/. Also, see <strong>NIST</strong> SP <strong>800</strong>-70, Security Configuration Checklists Program for IT Products, available at the same Web site, for general information about <strong>NIST</strong>’s checklists program. 4-1
Page 1 and 2: Special Publication 800</st
Page 3 and 4: GUIDELINES ON SECURING PUBLIC WEB S
Page 33: GUIDELINES ON SECURING PUBLIC WEB S
Page 85 and 86:
GUIDELINES ON SECURING PUBLIC WEB S
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?