Guidelines on Securing Public Web Servers
Table of Contents
EXECUTIVE SUMMARY................................................................................................ES 1
1. INTRODUCTION..............................................................................................................1
1.1 A
UTHORITY
..................................................................................................................1
1.2 P
URPOSE AND
S
COPE
....................................................................................................1
1.3 A
UDIENCE AND
A
SSUMPTIONS
.....................................................................................2
1.4 D
OCUMENT
S
TRUCTURE
...............................................................................................2
2. WEB SERVER SECURITY PROBLEMS AND OVERVIEW........................................4
2.1 G
ENERAL
I
NFORMATION
S
YSTEM
S
ECURITY
P
RINCIPLES
.............................................7
3. PLANNING AND MANAGEMENT OF WEB SERVERS.............................................9
3.1 P
LANNING FOR A
W
EB
S
ERVER
D
EPLOYMENT
..............................................................9
3.2 S
ECURITY
M
ANAGEMENT
S
TAFF
................................................................................11
3.3 M
ANAGEMENT
P
RACTICES
.........................................................................................13
3.4 S
YSTEM
S
ECURITY
P
LAN
............................................................................................14
3.5 H
UMAN
R
ESOURCES FOR
S
ECURING A
W
EB
S
ERVER
..................................................16
3.6 A
LTERNATIVE
W
EB
S
ERVER
P
LATFORMS
...................................................................17
4. SECURING THE OPERATING SYSTEM.....................................................................20
4.1 S
ECURELY
I
NSTALLING AND
C
ONFIGURING AN
O
PERATING
S
YSTEM
..........................20
4.2 S
ECURITY
T
ESTING THE
O
PERATING
S
YSTEM
.............................................................24
4.3 R
ESOURCES FOR
O
PERATING
S
YSTEM
S
PECIFIC
S
ECURITY
P
ROCEDURES
...................25
4.4 S
ECURING THE
W
EB
S
ERVER
O
PERATING
S
YSTEM
C
HECKLIST
..................................25
5. SECURELY INSTALLING AND CONFIGURING THE WEB SERVER...................27
5.1 S
ECURELY
I
NSTALLING THE
W
EB
S
ERVER
..................................................................27
5.2 C
ONFIGURING
A
CCESS
C
ONTROLS
..............................................................................28
5.3 U
SING
F
ILE
I
NTEGRITY
C
HECKERS
.............................................................................34
5.4 S
ECURELY
I
NSTALLING AND
C
ONFIGURING THE
W
EB
S
ERVER
C
HECKLIST
................35
6. SECURING WEB CONTENT ........................................................................................37
6.1 P
UBLISHING
I
NFORMATION ON
P
UBLIC
W
EB
S
ITES
.....................................................37
6.2 R
EGULATIONS
R
EGARDING THE
C
OLLECTION OF
P
ERSONAL
I
NFORMATION
...............39
6.3 S
ECURING
A
CTIVE
C
ONTENT AND
C
ONTENT
G
ENERATION
T
ECHNOLOGIES
...............40
6.4 S
ECURING
W
EB
C
ONTENT
C
HECKLIST
........................................................................49
7. AUTHENTICATION AND ENCRYPTION TECHNOLOGIES...................................52
7.1 D
ETERMINING
A
UTHENTICATION AND
E
NCRYPTION
R
EQUIREMENTS
.........................52
7.2 A
DDRESS
B
ASED
A
UTHENTICATION
...........................................................................52
7.3 B
ASIC
A
UTHENTICATION
............................................................................................52
7.4 D
IGEST
A
UTHENTICATION
..........................................................................................53
7.5 SSL/TLS....................................................................................................................53
v