IT Baseline Protection Manual - The Information Warfare Site

Data Transmission Systems WWW server
_________________________________________________________________________________________
Recommended measures
For the implementation of IT baseline protection, selection of the required packages of safeguards
("modules"), as described in chapters 2.3 and 2.4, is recommended.
In this chapter, only the threats and safeguards specific to a WWW server are described. In addition,
chapter 6.1 Server-supported Network must be implemented to ensure the security of the
organisation's own network.
In order to ensure that the connection of the WWW server to public networks (such as the Internet) is
secure, attention should be paid to chapter 7.3 Firewall. This is also the case for the connection of
several Intranets to an extensive Intranet. The controlled connection of external connection points (e.g.
of telecommuting workstations via ISDN) is dealt with in chapter 9.3 Telecommuting.
A WWW server should be installed in a separate server room. The appropriate safeguards are
described in Chapter 4.3.2. If no server room is available, the WWW server can alternatively be set up
in a server cabinet (see chapter 4.4 Protective Cabinets).
In order to set up a WWW server successfully and securely, a number of safeguards must be
implemented. The steps and measures involved are described below:
1. Creating a concept for the WWW server (see S 2.172 Developing a concept for using the WWW)
and determining a WWW security strategy (see S 2.173 Determining a WWW security strategy):
- Determining the security objectives
- Adapting the network structure
- Basic requirements
- Organisational regulations
2. Implementing the WWW server (see S 2.175 Setting up a WWW server):
- Implementing the IT baseline protection safeguards for the WWW computer (for example,
see chapter 6.2 for WWW servers based on Unix)
- Using secure communication connections (see S 5.65 Use of S-HTTP and S 5.66 Use of SSL)
- Java, ActiveX (see S 5.69 Protection against active content)
3. Operating the WWW server (see S 2.174 Secure operation of a WWW server):
- Regular checks
- Adaptation to changes and tests
- Access protection for WWW files (S 4.94 Protection of WWW files)
- Logging at the WWW server
- Contingency planning for the WWW server (see also Chapter 3.3)
- Data backup (see chapter 3.4 Data backup policy)
6. Secure operation of WWW clients
Alongside the safeguards described in chapter 5 additional safeguards outlined in S 5.45 Security of
WWW-browsers should be observed
- Using secure communication connections (see S 5.65 Use of S-HTTP and S 5.66 Use of SSL)
- Protection against viruses, macro viruses, active contents (see S 4.33 Running a virus scan
program before and after data transfer and S 5.69 Protection against active content)
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000