IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.174 Secure operation of a WWW server
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
WWW servers are attractive targets for attackers and therefore have to be very
carefully configured so that they can be operated securely. The operating
system and the software must be configured in such a way that the computer is
given optimum protection against attacks. The computer must not be
connected to the network until such time as it is appropriately configured.
A WWW server that offers information on the Internet should be installed in
accordance with the following stipulations:
- Only a minimum of programs should be installed on a WWW server, i.e.
the operating system should be reduced to those functionalities that are
absolutely essential and otherwise, too, only programs that are really
necessary should be installed on the WWW server (see S 4.95 Minimal
operating system).
- In particular, a WWW server should not include any unnecessary network
services; different services should be installed on different computers (see
S 4.97 One service per server).
- Access to files or directories must be protected (see S 4.94 Protection of
WWW files).
- Communication with the WWW server should be restricted to a minimum
through the use of a packet filter (see S 4.98).
- Administration of the WWW server should always be performed via a
secure connection; this means that administration should be performed
directly on the console, with strong authentication (if access is from the
LAN) or via an encrypted connection (if access is from the Internet).
- Furthermore, the WWW server should be secured from the Internet by a
firewall proxy or at least by a packet filter (see S 4.98). This must not be
located between the firewall and the internal network, because an error on
the WWW server could otherwise allow access to internal data.
There are various possible methods of providing protection, depending on the
type of WWW server. A common feature of all of these methods, however, is
that only a restricted set of rights should be assigned to the WWW server’s
actual server process, namely the http daemon. Usually it must be started with
root privileges, but after being started it should continue operating as quickly
as possible with the rights of a less privileged new user. A separate user
account, such as wwwserver, should be created for this purpose. It is important
that this user should not have any rights to write to the log files. Otherwise an
intruder could manipulate these files using the rights of the HTTP server by
exploiting an error.
If an intruder does exploit a weak point in the http daemon, therefore, he will
not have access to the operating system as such. If possible, the http daemon
should be restricted to part of the file tree. Under Unix, this can be done with
the chroot program, for example. Besides this, the cgi programs supplied with
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000