Guidelines on Securing Public Web Servers
The host can be configured to better suit the requirements of the particular service.
Different services might require different hardware and software configurations,
which could lead to unnecessary vulnerabilities or service restrictions.
By reducing services, the number of logs and log entries is reduced; therefore
detecting unexpected behavior becomes easier.
When configuring the operating system, apply the principle disable everything except that
which is expressly permitted that is, disable or, preferably, remove all services and
applications and then selectively enable those required by the Web server. If possible, install
the minimal operating system configuration that is required for the Web server application. If
the operating system installation system provides a minimal installation option, choose that
because it will minimize the effort required to remove unnecessary services. Many uninstall
scripts or programs do not completely remove all components of service; therefore, it is always
better to avoid installing unnecessary services when possible.
The services enabled on a Web server will depend on the functions the organization wants the
server to provide. Those services might include database protocols to access a database, file
transfer protocols, and remote administration services. Each of these services, even though
they may be required, comes with an increased risk to the server. Whether the risks outweigh
the benefits is a decision each organization must make for itself.
4.1.3 Configuring Operating System User Authentication
For Web servers, authorized users who can configure the system and initiate Web services are
typically a small number of designated Web administrators and Webmasters. However, the
users who can access the public Web server may range from unrestricted to restricted subsets
of the Internet community. To enforce policy restrictions, if required, the Web administrator
must configure the system to authenticate prospective users by requiring proof that each person
is authorized for such access. Even though a Web server may allow unauthenticated access to
most Web services, administrative and other types of specialized access should be limited to
specific individuals and groups.
Configuring the computer for authentication usually involves configuring parts of the
operating system, firmware, and applications on the server, such as the software that
implements a network service. In special cases, for high value/high risk sites, organizations
may also use authentication hardware, such as tokens or one time password devices. Use of
authentication mechanisms where authentication information is reusable (e.g., passwords) and
transmitted in the clear over a network is strongly discouraged, because the information can be
intercepted and used by an attacker to masquerade as an authorized user (see Section 7).
To ensure the appropriate user authentication is in place, take the following steps [CERT00]:
Remove or disable unneeded default accounts and groups
. The default
configuration of the operating system often includes guest accounts (with and without
passwords), administrator or root level accounts, and accounts associated with local
and network services. The names and passwords for those accounts are well known.
Remove or disable unnecessary accounts to eliminate their use by intruders, including
guest accounts on computers containing sensitive information. If there is no
requirement to retain a guest account or group, severely restrict its access and change
the password in accordance with the organizational password policy.
22