NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS Completed Action No directories have both write and execute permissions All executable files are placed in a dedicated folders SSIs are disabled or the execute function is disabled All user input is validated Web content generation code should be scanned or audited Dynamically created pages do not create dangerous metacharacters Character set encoding should be explicitly set in each page User data should be scanned to ensure it contains only expected input, (e.g., a-z, A-Z, 0-9); care should be taken with special characters or HTML tags Cookies should be examined for any special characters Encryption mechanism is used to encrypt passwords entered through scripts forms For Web applications that are restricted by username and password, none of the Web pages in the application should be accessible without executing the appropriate login process All sample scripts are removed No third-party scripts or executable code are used without verifying the source code 6-20
GUIDELINES ON SECURING PUBLIC WEB SERVERS 7. Using Authentication and Encryption Technologies Public Web servers often support a range of technologies for identifying and authenticating users with differing privileges for accessing information. Some of these technologies are based on cryptographic functions that can provide an encrypted channel between a Web browser client and a Web server that supports encryption. Without user authentication, organizations will not be able to restrict access to specific information to authorized users. All information that resides on a public Web server will then be accessible by anyone with access to the server. In addition, without some process to authenticate the server, users will not be able to determine if the server is the “authentic” Web server or a counterfeit version operated by a malicious entity. Encryption can be used to protect information traversing the connection between a Web browser client and a public Web server. Without encryption, anyone with access to the network traffic can determine, and possibly alter, the content of sensitive information, even if the user accessing the information has been authenticated carefully. This may violate the confidentiality and integrity of critical information. 7.1 Determining Authentication and Encryption Requirements Organizations should periodically examine all information accessible on the public Web server and determine the necessary security requirements. While doing so, the organization should identify information that shares the same security and protection requirements. For sensitive information, the organization should determine the users or user groups that should have access to each set of resources. For information that requires some level of user authentication, the organization should determine which of the following technologies or methods would provide the appropriate level of authentication and encryption. Each has its own unique benefits and costs that should be weighed carefully with client and organizational requirements and policies. It may be desirable to use some authentication methods in combination. This guide discusses the authentication mechanisms most commonly associated with public Web servers and Web applications. More advanced authentication mechanisms can be supported by these servers and applications and are discussed in <strong>NIST</strong> SP <strong>800</strong>-63. 46 7.2 Address-Based Authentication The simplest authentication mechanism that is supported by most Web servers is address-based authentication. Access control is based on the IP address and/or hostname of the host requesting information. Although it is easy to implement for small groups of users, address authentication can be unwieldy for Web sites that have a large potential user population (i.e., most public Web servers). It is susceptible to several types of attacks, including IP spoofing and DNS poisoning. This type of authentication should be used only where minimal security is required, unless it is used in conjunction with stronger authentication methods. 46 <strong>NIST</strong> SP <strong>800</strong>-63, Electronic Authentication Guideline, is available at http://csrc.nist.gov/publications/nistpubs/. 7-1
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22: GUIDELINES ON SECURING PUBLIC WEB S
Page 71: GUIDELINES ON SECURING PUBLIC WEB S
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?