[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] ITL Bulletin for January 2008
Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov>
ITL BULLETIN FOR JANUARY 2008
SECURE WEB SERVERS: PROTECTING WEB SITES THAT ARE ACCESSED
BY THE PUBLIC
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce
Many organizations rely upon the World Wide Web (Web) to publish
information, to exchange information with Internet users, and to conduct
electronic transactions with their customers and their suppliers. The
Web's system of interlinked text, images, videos, and other information
makes vast amounts of information available to organizations and
individuals. With the many advances in computer efficiency, programming
techniques, and entry points to network systems, however, public Web
sites have become vulnerable to frequent security threats.
The safe operation of public Web sites depends upon the safe and secure
operation of two principal components of the networking infrastructure:
the organization's Web servers, the software applications that make
information available over the Internet; and Web browsers, the programs
that enable users to access and display the information from the Web
Guidelines developed by the Information Technology Laboratory of the
National Institute of Standards and Technology (NIST) help organizations
manage the secure operation of both their Web servers and their Web
browsers. This bulletin summarizes a recently updated NIST Special
Publication (SP) 800-44, Guidelines on Securing Public Web Servers,
which focuses on the design, implementation, and operation of publicly
accessible and secure Web servers. See the More Information section at
the end of the bulletin for references to other publications that deal
with the security of both Web servers and browsers, and with the basic
processes for planning, implementing, and operating secure systems.
NIST Special Publication (SP) 800-44, Version 2, Guidelines on Securing
Public Web Servers: Recommendations of the National Institute of
Standards and Technology
NIST SP 800-44, Version 2, Guidelines on Securing Public Web Servers,
details the steps that organizations should take to plan, install, and
maintain secure Web server software and their underlying operating
systems. The authors of NIST SP 800-44, Version 2, are Miles Tracy of
Federal Reserve Information Technology, Wayne Jansen of NIST, Karen
Scarfone of NIST, and Theodore Winograd of Booz Allen Hamilton.
Issues covered in the guide include how to secure, install, and
configure the operating system that supports the Web server; how to
secure, install, and configure Web server software; how to deploy
appropriate network protection mechanisms, such as firewalls, routers,
switches, and intrusion detection and intrusion prevention systems; the
steps for maintaining the secure configuration of the operating system
and server software through the application of appropriate patches and
upgrades; the requirements for security testing; the methods for
monitoring logs, and for managing backups of data and operating system
files; and how to use, publicize, and protect information and data on
Web servers in a careful and systematic manner.
The appendices to the guide provide useful supplemental information: a
list of online Web security resources, definitions of the terms used in
the guide, and a list of commonly used Web server security tools and
applications. Other practical resources in the appendices are a list of
in-print and online references, an extensive checklist of actions needed
for Web server security, and an acronym list.
NIST SP 800-44, Version 2, is available on the NIST Web site:
The Need for Security
The World Wide Web is a widely used system for exchanging information
over the Internet. Both Web servers and Web browsers can be vulnerable
to attacks that destroy or change information, and disrupt operations.
Web servers are frequently targeted for attack and are subject to many
security threats, such as:
* Malicious attacks that exploit software bugs in the Web server, the
underlying operating system, or the active content of information.
These attacks allow the intruder to gain unauthorized access to the
Web server and to information that was not meant to be publicly
accessible. Then, sensitive information on the Web server may be read
or modified. These attacks can also result in giving the intruder
unauthorized capabilities to execute commands and to install software
on the Web server.
* Denial of service (DoS) attacks that are directed to the Web server or
its supporting network infrastructure. These attacks can result in
denying or hindering authorized users from making use of the Web
* The compromise of sensitive information on backend databases that are
used to support interactive elements of a Web application. The
attacker injects commands that are run on the server. Using Structured
Query Language (SQL) and Lightweight Directory Access Protocol (LDAP),
the attacker submits input that will be passed to a database and then
processed. In cross-site scripting (XSS) attacks, the intruder
manipulates the application to store scripting language commands that
are activated when another user accesses the Web page.
* The interception of sensitive information that is transmitted
unencrypted between the Web server and the browser.
* The modification of the information on the Web server for malicious
purposes, such as the defacement of Web sites.
* Malicious entities that gain unauthorized access to resources
elsewhere in the organization's network via a successful attack on the
* Malicious entities that attack external entities after compromising a
Web server host. These attacks can be launched directly, from the
compromised host against an external server, or indirectly, through
the placement of malicious content on the compromised Web server in
order to exploit vulnerabilities in the Web browsers of the users
visiting the site.
* Use of the Web server as a distribution point for attack tools,
pornography, or illegally copied software.
* Attackers that use indirect methods to extract personal information
from users. Phishing attacks trick the user into logging into a fake
site and giving personal information, which is then stolen. In another
type of indirect attack known as pharming, Domain Name System (DNS)
servers or users' host files are compromised to redirect users to a
malicious site instead of to the legitimate site. The information that
is collected in phishing and pharming attacks can be used to access
the user's Web site or to carry out an identity theft scheme.
NIST'S Recommendations for Installing, Configuring, and Maintaining
Secure Public Web Servers
To address the many sophisticated security threats, NIST recommends that
organizations adopt the following practices to maintain a secure Web
* Carefully plan and address the security aspects for the deployment of
a public Web server.
Security issues should be considered when an organization begins to plan
for the deployment of a public Web server since it is much more
difficult to address security once deployment and implementation have
taken place. Sound decisions about the appropriate configuration of
systems are more likely to be made when organizations develop and use a
detailed, well-designed deployment plan. The deployment plan will also
support the organization's Web server administrators when they have to
make the necessary trade-off decisions regarding usability, performance,
Human resource requirements are essential components of planning,
deployment, and operational phases of the Web server and its supporting
infrastructure. Human resource issues that need to be addressed in a
deployment plan include:
* Types of personnel required: system and Web server administrators,
Webmasters, network administrators, information systems security
* Skills and training required by assigned personnel; and
* Required levels of effort for individuals and the overall level of
effort required for the staff as a whole.
* Implement appropriate security management practices and controls when
maintaining and operating a secure Web server.
Organizations should identify their information system assets and the
development, documentation, and implementation of policies, standards,
procedures, and guidelines that help to ensure the confidentiality,
integrity, and availability of information system resources. The
following security management practices will help to strengthen the
security of the Web server and the supporting network infrastructure:
* Develop an organization-wide information system security policy.
* Use configuration/change control and management practices.
* Conduct risk assessment and management processes.
* Adopt standardized software configurations that satisfy the
information system security policy.
* Conduct security awareness and training activities.
* Adopt contingency planning, continuity of operations, and disaster
recovery planning procedures.
* Apply certification and accreditation methods.
* Ensure that Web server operating systems are deployed, configured, and
managed to meet the security requirements of the organization.
The security of a Web server depends upon the security of its underlying
operating system. Most commonly available Web servers operate on a
general-purpose operating system, which should be configured
appropriately to circumvent security problems. Default hardware and
software configurations are typically set by manufacturers to emphasize
features, functions, and ease of use, and may not focus on security
issues. Because every organization's security needs are different, Web
server administrators should configure new servers to reflect their
organization's security requirements and then reconfigure the servers as
those requirements change. Security configuration guides or checklists
can assist administrators in securing systems consistently and
efficiently. Steps for securing the operating system include:
* Patch and upgrade the operating system.
* Remove or disable unnecessary services and applications.
* Configure operating system user authentication.
* Configure resource controls.
* Install and configure additional security controls.
* Perform security testing of the operating system.
* Ensure that the Web server application is deployed, configured, and
managed to meet the security requirements of the organization.
The steps for the secure installation and configuration of the Web
server application parallel the steps for securing the operating system.
Administrators should install the minimal amount of Web server services
required and eliminate any known vulnerabilities through patches or
upgrades. Any unnecessary applications, services, or scripts resulting
from the server installation program should be removed immediately after
the conclusion of the installation process. Steps for securing the Web
server application include:
* Patch and upgrade the Web server application.
* Remove or disable unnecessary services, applications, and sample
* Configure Web server user authentication and access controls.
* Configure Web server resource controls.
* Test the security of the Web server application and Web content.
Organizations should develop a Web publishing process or policy that
determines what type of information will be published openly, what
information will be published with restricted access, and what
information should not be published to any publicly accessible
repository. Some generally accepted examples of what should not be
published or that at least should be carefully examined and reviewed
before publication on a public Web site include:
* Classified or proprietary information;
* Information on the composition or preparation of hazardous materials
* Sensitive information relating to homeland security;
* Medical records;
* An organization's detailed physical and information security
* Details about an organization's network and information system
infrastructure, such as address ranges, naming conventions, and access
* Information that specifies or implies physical security
* Detailed plans, maps, diagrams, aerial photographs, and architectural
drawings of organizational buildings, properties, or installations;
* Any sensitive information about individuals, such as personally
identifiable information (PII), that might be subject to federal,
state or, in some instances, international privacy laws.
* Take appropriate steps to protect Web content from unauthorized access
After organizations carefully review the information that is made
available to the public on their Web sites, the organizations should
ensure that the information cannot be modified without proper
authorization. Users rely on the integrity of the publicly available
information. Because of the public accessibility of Web content, the
information is vulnerable to modification. Organizations should protect
public Web content through practices for the appropriate configuration
of Web server resource controls, such as:
* Install or enable only necessary services.
* Install Web content on a dedicated hard drive or logical partition.
* Limit uploads to directories that are not readable by the Web server.
* Define a single directory for all external scripts or programs
executed as part of Web content.
* Disable the use of hard or symbolic links.
* Define a complete Web content access matrix that identifies which
folders and files within the Web server document directory are
restricted, which are accessible, and to whom.
* Disable directory listings.
* Use user authentication, digital signatures, and other cryptographic
mechanisms as appropriate.
* Use host-based intrusion detection systems (IDSs), intrusion
prevention systems (IPSs), and/or file integrity checkers to detect
intrusions and to verify Web content.
* Protect the backend server from command injection attacks directed to
both the Web server and the backend server.
* Use active content judiciously after balancing the benefits gained
against the associated risks.
Early Web sites usually presented static information such as text-based
documents that were on the Web server. Today, interactive elements are
available, making possible new ways for users to interact with a Web
site. These interactive elements have introduced new Web-related
vulnerabilities because they involve dynamically executing code on
either the Web server or the client using a large number of inputs, from
Universal Resource Locator (URL) parameters to Hypertext Transfer
Protocol (HTTP) POST content and, more recently, Extensible Markup
Language (XML) content in the form of Web service messages. Different
active content technologies have different vulnerabilities associated
with them, and their risks should be weighed against their benefits.
Although most Web sites use some form of active content generators, many
also deliver some or all of their content in a non-active form.
* Use appropriate authentication and cryptographic technologies to
protect certain types of sensitive data.
Public Web servers often support a range of technologies for identifying
and authenticating users with different privileges for accessing
information. Some of these technologies are based on cryptographic
functions that can provide an encrypted channel between a Web browser
client and a Web server. Web servers may be configured to use different
cryptographic algorithms, providing varying levels of security and
Without proper user authentication processes, organizations cannot
selectively restrict access to specific information. All of the
information that is available on a public Web server would be within
reach of anyone with access to the server. Also, a process to
authenticate the server to the user helps users of the public Web server
to determine whether the server is the "authentic" Web server or a
counterfeit version operated by a malicious entity.
Despite the employment of an encrypted channel and an authentication
mechanism, attackers may still attempt to access the Web site via a
brute force attack. Improper authentication techniques can allow
attackers to gather valid usernames or potentially gain access to the
Web site. Strong authentication mechanisms can also protect against
phishing and pharming attacks. Therefore, an appropriate level of
authentication should be implemented based on the sensitivity of the Web
server's users and content.
* Employ the network infrastructure to help protect public Web servers.
The network infrastructure, which includes firewalls, routers, and IDSs,
supports the Web server and plays a critical role in the security of the
Web server. In most configurations, the network infrastructure will be
the first line of defense between a public Web server and the Internet.
Network design alone, however, cannot protect a Web server. Web server
attacks are frequent, sophisticated, and varied. Web server security
must be implemented through layered and diverse protection mechanisms
that provide defense-in-depth.
* Commit to an ongoing process for maintaining the security of public
Web servers to ensure continued security.
Organizations should apply constant effort, resources, and vigilance to
maintain secure Web servers. The following steps should be performed on
a daily basis to maintain the security of Web servers:
* Configure, protect, and analyze log files.
* Back up critical information frequently.
* Maintain a protected authoritative copy of the organization's Web
* Establish and follow procedures for recovering from compromise.
* Test and apply patches in a timely manner.
* Test server security periodically.
Federal agencies will find information about protecting sensitive
information in the following directives:
White House Memorandum dated March 19, 2002, Action to Safeguard
Information Regarding Weapons of Mass Destruction and Other Sensitive
Documents Related to Homeland Security
OMB Memorandum M-06-16, dated June 23, 2006, Protection of Sensitive
Agency Information; and OMB Memorandum M-07-16, dated May 22, 2007,
Safeguarding Against and Responding to the Breach of Personally
Identifiable Information, at http://www.whitehouse.gov/omb/memoranda/.
NIST publications assist organizations in planning and implementing a
comprehensive approach to information security. NIST publications that
support the secure installation, configuration, and maintenance of Web
servers and browsers include:
NIST SP 800-18 Revision 1, Guide for Developing Security Plans for
Federal Information Systems.
NIST SP 800-28, Guidelines on Active Content and Mobile Active Code.
NIST SP 800-40, Version 2.0, Creating a Patch and Vulnerability
NIST SP 800-41, Guidelines on Firewalls and Firewall Policy.
NIST SP 800-42, Guideline on Network Security Testing.
NIST SP 800-45, Version 2, Guidelines on Electronic Mail Security.
NIST SP 800-46, Security for Telecommuting and Broadband Communications.
NIST SP 800-92, Guide to Computer Security Log Management.
NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems
NIST SP 800-95, Guide to Secure Web Services.
For information about NIST standards and guidelines that are referenced in the
Web server security guide, as well as other security-related publications, see
NIST's Web page at http://csrc.nist.gov/publications/index.html.
Any mention of commercial products or reference to
commercial organizations is for information only; it does
not imply recommendation or endorsement by NIST nor does it
imply that the products mentioned are necessarily the best
available for the purpose.
Elizabeth B. Lennon
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378
Subscribe to InfoSec News