NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Unlike the Java sandbox model, which restricts the permissi<strong>on</strong>s of applets to a set of safe acti<strong>on</strong>s,<br />
ActiveX places no restricti<strong>on</strong>s <strong>on</strong> what a c<strong>on</strong>trol can do. Instead, ActiveX c<strong>on</strong>trols are digitally signed by<br />
their authors under a technology scheme called Authenticode. The digital signatures are verified using<br />
identity certificates issued by a trusted certificate authority to an ActiveX software publisher, who must<br />
pledge that no harmful code will be knowingly distributed under this scheme. The Authenticode process<br />
ensures that ActiveX c<strong>on</strong>trols cannot be distributed an<strong>on</strong>ymously and that tampering with the c<strong>on</strong>trols can<br />
be detected. This certificati<strong>on</strong> process, however, does not ensure that a c<strong>on</strong>trol will be well behaved<br />
[<str<strong>on</strong>g>NIST</str<strong>on</strong>g>01]. Vulnerabilities in key ActiveX c<strong>on</strong>trols have been reported, including comp<strong>on</strong>ents installed by<br />
popular applicati<strong>on</strong>s such as Microsoft Office.<br />
6.4.2 Vulnerabilities with Server-Side C<strong>on</strong>tent Generati<strong>on</strong> Technologies<br />
Unlike the above technologies, CGI, ASP .NET, Java EE, and other similar server interfaces fall <strong>on</strong> the<br />
server side (<strong>Web</strong>) of the client-server model. Comm<strong>on</strong> uses of server-side executi<strong>on</strong> include [Ziri02]—<br />
Database access<br />
E-commerce/e-government applicati<strong>on</strong>s<br />
Chat rooms<br />
Threaded discussi<strong>on</strong> groups.<br />
The server-side applicati<strong>on</strong>s can be written in many programming languages to run <strong>on</strong> a <strong>Web</strong> server. If<br />
scripts and comp<strong>on</strong>ents are not prepared carefully, however, attackers can find and exercise flaws in the<br />
code to penetrate the <strong>Web</strong> server or backend comp<strong>on</strong>ents such as a database server. Therefore, scripts<br />
must be written with security in mind; for example, they should not run arbitrary commands <strong>on</strong> a system<br />
or launch insecure programs. An attacker can find flaws through trial and error and does not necessarily<br />
need the source code for the script to uncover vulnerabilities [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>01].<br />
Server-side c<strong>on</strong>tent generators can create the following security vulnerabilities at the server:<br />
They may intenti<strong>on</strong>ally or unintenti<strong>on</strong>ally leak informati<strong>on</strong> about the <strong>Web</strong> server applicati<strong>on</strong> and host<br />
OS that can aid an attacker, for example, by allowing access to informati<strong>on</strong> outside the areas<br />
designated for <strong>Web</strong> use.<br />
When processing user-provided input, such as the c<strong>on</strong>tents of a form, URL parameters, or a search<br />
query, they may be vulnerable to attacks whereby the user tricks the applicati<strong>on</strong> into executing<br />
arbitrary commands supplied in the input stream (e.g., cross-site scripting or SQL injecti<strong>on</strong>).<br />
They may allow attackers to deface or modify site c<strong>on</strong>tent.<br />
Ideally, server-side applicati<strong>on</strong>s should c<strong>on</strong>strain users to a small set of well-defined functi<strong>on</strong>ality and<br />
validate the size and values of input parameters so that an attacker cannot overrun memory boundaries or<br />
piggyback arbitrary commands for executi<strong>on</strong>. Applicati<strong>on</strong>s should be run <strong>on</strong>ly with minimal privileges<br />
(i.e., n<strong>on</strong>-administrator) to avoid compromising the entire <strong>Web</strong> site. However, potential security holes<br />
can be exploited, even when applicati<strong>on</strong>s run with low privilege settings, so this opti<strong>on</strong> should <strong>on</strong>ly be<br />
used as a last resort. For example, a subverted script could have enough privileges to mail out the system<br />
password file, examine the network informati<strong>on</strong> maps, or launch a login to a high numbered port.<br />
6-12