Posted by arlene

Most companies and organizations today have a Web presence on the Internet. An Internet presence offers numerous business advantages, such as the ability to advertise to a large audience, to interact with customers and partners, and to provide updated information to interested parties.

Web pages are stored on servers running Web services software such as Microsoft’s Internet Information Server (IIS) or Apache (developed for Linux and UNIX servers, but also now available for Windows). Web servers must be accessible via the Internet if the public is to be able to access the Web pages. However, this accessibility provides a point of entry to Internet “bad guys” who want to get into the network, so it is vitally important that Web servers be secured. It’s such a tempting target, because in many cases it’s the only part of your network that an attacker can access. Protecting a Web server is no small task. Systems attached to the Internet before they are fully “hardened” are usually detected and compromised within minutes. Malicious crackers are always actively searching for systems to infiltrate, making it essential that a Web server is properly locked down before bringing it online.

First and foremost, administrators must lock down the underlying OS. This process includes applying updates and patches, removing unneeded protocols and services, and properly configuring all native security controls. Second, it is wise to place the Web server behind a protective barrier, such as a firewall or a reverse proxy. Anything that limits, restricts, filters, or controls traffic into and out of a Web server reduces the means by which malicious users can attack the system. Third, administrators must lock down the Web server itself. This process actually has numerous facets, each of which are important to maintaining a secure Web server.

Many Web servers, such as older versions of IIS, use a named user account to authenticate anonymous Web visitors. When a Web visitor accesses a Web site using this methodology, the Web server automatically logs that user on as the IIS user account.

The visiting user remains anonymous, but the host server platform uses the IIS user account to control access. This account grants system administrator’s granular access control on a Web server.

These specialized Web user accounts should have their access restricted so they cannot log on locally nor access anything outside the Web root. Additionally, administrators should be very careful about granting these accounts the ability to write to files or execute programs; this should be done only when absolutely necessary. If other named user accounts are allowed to log on over the Web, it is essential that these accounts not be the same user accounts employed to log onto the internal network. In other words, if employees log on via the Web using their own credentials instead of the anonymous Web user account, administrators should create special accounts for those employees to use just for Web logon. Authorizations over the Internet should not be considered secure unless strong encryption mechanisms are in place to protect them. Secure Sockets Layer (SSL) can be used to protect Web traffic; however, the protection it offers is not significant enough to protect internal accounts on the Internet.

Possibly related posts: (automatically generated)
Web Servers and System Hardening

• The Apache Web server, a rich Java Web site
• The Apache Web server, a rich Java Web site continue...
• Network Access Control Databases
• Key Differences Between Unix/Linux and NetWare continue...
• Processes of OS and NOS Hardening
• Web Servers
• Network Hardening OSes and NOSes
• Using Information in the Digital Certificate to Prevent Interception Attacks
• The influence of the Internet and the electronic commerce continue...
• Popular Commercial IDS Systems