Guidelines on Securing Public Web Servers

Organizations should employ their network infrastructure to help protect their public 

Web server(s).   

The network infrastructure that supports the Web server plays a significant role in the security 

of the Web server.  In most configurations, the network infrastructure is the first line of defense 

between the Internet and a public Web server.  Network design alone, however, cannot protect 

a Web server.  The frequency, sophistication, and even variety of Web attacks perpetrated 

today, support the idea that Web security must be implemented through both layered and 

diverse defense mechanisms (i.e., defense in depth).   

Organizations must commit to the ongoing process of maintaining the security of Public 

Web servers to ensure continued security.   

Maintaining a secure Web server requires constant effort, resources, and vigilance from an 

organization.  Thus, once a Web server has been initially deployed, administering it on a daily 

basis becomes a critical aspect of Web server security.  Maintaining the security of a Web 

server usually involves the following steps: 

Configuring, protecting, and analyzing log files 

Backing up critical information frequently 

Maintaining a protected authoritative copy of the organization's Web content 

Establishing and following procedures for recovering from compromise 

Testing and applying patches in a timely manner 

Testing security periodically. 

ES 6