NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Dicti<strong>on</strong>ary Attacks—Attackers use comm<strong>on</strong> dicti<strong>on</strong>ary words and their variants to attempt to gain<br />
access to a user’s account.<br />
Brute Force Attacks—Attackers try every possible password to attempt to gain access to a user’s<br />
account.<br />
There are a number of methods for reducing a <strong>Web</strong> server’s vulnerability to brute force attack:<br />
Use Str<strong>on</strong>g Authenticati<strong>on</strong>—Str<strong>on</strong>g authenticati<strong>on</strong> techniques, such as hardware tokens, <strong>on</strong>e-time<br />
passwords, biometric authenticati<strong>on</strong>, and SSL/TLS client certificates, are much more resistant to brute<br />
force attacks than passwords. Str<strong>on</strong>ger authenticati<strong>on</strong> can be achieved by combining multiple<br />
authenticati<strong>on</strong> mechanisms to form a multi-factor authenticati<strong>on</strong> scheme. However, str<strong>on</strong>g<br />
authenticati<strong>on</strong> may be prohibitively expensive or difficult to incorporate into a system.<br />
Use Timeouts—Incurring a delay of several sec<strong>on</strong>ds after a failed login attempt can slow an attacker<br />
down. However, attackers can attempt multiple logins at the same time from different clients.<br />
Use Lockouts—Locking out a user account after a number of failed login attempts prevents the<br />
attacker from successfully logging into an account. The primary disadvantage of this technique is<br />
that it can leave the system open to a DoS attack. Also, an attacker may try several comm<strong>on</strong><br />
passwords against random usernames, which may grant the attacker access to the system while<br />
bypassing the lockout [Whit06].<br />
Enforce a Password Policy—By requiring passwords to be of a certain length and to c<strong>on</strong>tain<br />
lowercase letters, uppercase letters, numerals, and/or symbols, a simple dicti<strong>on</strong>ary attack will not<br />
work <strong>on</strong> the system.<br />
Enforce a Password Change Policy—By requiring passwords to be changed <strong>on</strong> a regular basis, an<br />
attacker might not have enough time to brute-force a potential password. However, strict password<br />
change policies can frustrate users and weaken passwords by causing users to follow patterns, such as<br />
using password1, password2, etc. [Bell06]<br />
Use Blacklists—Blocking IP addresses or domains known to attempt brute force attacks from<br />
accessing the system may stop some attackers, but it is possible that some attacks may come from<br />
compromised systems that would otherwise be c<strong>on</strong>sidered legitimate.<br />
Use Log M<strong>on</strong>itoring Software—Vigilantly m<strong>on</strong>itoring logs of invalid password attempts may help<br />
an organizati<strong>on</strong> detect brute force attacks, potentially giving the organizati<strong>on</strong> time to resp<strong>on</strong>d before<br />
the attack has been successful.<br />
Aside from str<strong>on</strong>g authenticati<strong>on</strong>, n<strong>on</strong>e of these mechanisms completely prevent brute force attacks;<br />
however, using <strong>on</strong>e or more of these techniques makes it more difficult for an attacker to gain access to<br />
the system. Nevertheless, when c<strong>on</strong>sidering which technologies to adopt, it is important to c<strong>on</strong>sider<br />
passwords as part of the system as a whole. For example, a <strong>Web</strong> site that uses usernames and passwords<br />
to retrieve user customizati<strong>on</strong>s may not need to c<strong>on</strong>cern itself with preventing brute force attacks<br />
[Bell06]. In systems where sensitive informati<strong>on</strong> is being protected, some of these techniques may be<br />
necessary. Regardless, an organizati<strong>on</strong> may already have policies regarding brute force attacks. If so,<br />
those policies should be followed and enhanced if necessary.<br />
7-13