NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
authenticati<strong>on</strong> mechanisms and devices are used, the organizati<strong>on</strong>’s policy should be changed<br />
accordingly, if necessary. Some organizati<strong>on</strong>al policies may already require the use of str<strong>on</strong>g<br />
authenticati<strong>on</strong> mechanisms.<br />
As menti<strong>on</strong>ed earlier, attackers using network sniffers can easily capture passwords passed across a<br />
network in clear text. However, passwords are ec<strong>on</strong>omical and appropriate if properly protected while in<br />
transit. Organizati<strong>on</strong>s should implement authenticati<strong>on</strong> and encrypti<strong>on</strong> technologies, such as Secure<br />
Sockets Layer (SSL)/Transport Layer Security (TLS), Secure Shell (SSH), or virtual private networking<br />
(VPN), to protect passwords during transmissi<strong>on</strong>. Requiring user-friendly server authenticati<strong>on</strong> to be<br />
used with encrypti<strong>on</strong> technologies reduces the likelihood of successful man-in-the-middle and spoofing<br />
attacks.<br />
4.1.4<br />
C<strong>on</strong>figure Resource C<strong>on</strong>trols Appropriately<br />
All comm<strong>on</strong>ly used modern server OSs provide the capability to specify access privileges individually for<br />
files, directories, devices, and other computati<strong>on</strong>al resources. By carefully setting access c<strong>on</strong>trols and<br />
denying pers<strong>on</strong>nel unauthorized access, the <strong>Web</strong> server administrator can reduce intenti<strong>on</strong>al and<br />
unintenti<strong>on</strong>al security breaches. For example, denying read access to files and directories helps to protect<br />
c<strong>on</strong>fidentiality of informati<strong>on</strong>, and denying unnecessary write (modify) access can help maintain the<br />
integrity of informati<strong>on</strong>. Limiting the executi<strong>on</strong> privilege of most system-related tools to authorized<br />
system administrators can prevent users from making c<strong>on</strong>figurati<strong>on</strong> changes that could reduce security. It<br />
also can restrict the attacker’s ability to use those tools to attack the system or other systems <strong>on</strong> the<br />
network.<br />
4.1.5<br />
Install and C<strong>on</strong>figure Additi<strong>on</strong>al Security C<strong>on</strong>trols<br />
OSs often do not include all of the security c<strong>on</strong>trols necessary to secure the OS, services, and applicati<strong>on</strong>s<br />
adequately. In such cases, administrators need to select, install, and c<strong>on</strong>figure additi<strong>on</strong>al software to<br />
provide the missing c<strong>on</strong>trols. Comm<strong>on</strong>ly needed c<strong>on</strong>trols include the following:<br />
Anti-malware software, such as antivirus software, anti-spyware software, and rootkit detectors, to<br />
protect the local OS from malware and to detect and eradicate any infecti<strong>on</strong>s that occur. 21 Examples<br />
of when anti-malware software would be helpful include a <strong>Web</strong> administrator bringing infected media<br />
to the <strong>Web</strong> server and a network service worm c<strong>on</strong>tacting the server and infecting it.<br />
Host-based intrusi<strong>on</strong> detecti<strong>on</strong> and preventi<strong>on</strong> software, to detect attacks performed against the <strong>Web</strong><br />
server, including DoS attacks. Secti<strong>on</strong> 7.2.2 c<strong>on</strong>tains additi<strong>on</strong>al informati<strong>on</strong> <strong>on</strong> host-based intrusi<strong>on</strong><br />
detecti<strong>on</strong> and preventi<strong>on</strong> software.<br />
Host-based firewalls, to protect the server from unauthorized access. 22<br />
Patch management software to ensure that vulnerabilities are addressed promptly. Patch management<br />
software can be used <strong>on</strong>ly to apply patches or also to identify new vulnerabilities in the <strong>Web</strong> server’s<br />
OSs, services, and applicati<strong>on</strong>s.<br />
21<br />
22<br />
Additi<strong>on</strong>al informati<strong>on</strong> <strong>on</strong> anti-malware software is available from <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-83, Guide to Malware Incident Preventi<strong>on</strong><br />
and Handling (http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
For more informati<strong>on</strong> <strong>on</strong> firewalls, see <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-41, <str<strong>on</strong>g>Guidelines</str<strong>on</strong>g> <strong>on</strong> Firewalls and Firewall Policy<br />
(http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
4-6