Guidelines on Securing Public Web Servers

5.2  Configuring Access Controls 

Most Web server host operating systems provide a capability to specify access privileges 

individually for files, devices, and other computational resources on that host.  Any 

information that the Web server can access using these controls can potentially be distributed 

to all users accessing the public Web site.  The Web server software is likely to provide 

additional file, device, and resource access controls specific to its operation.  In cases where 

resource permissions can be set at both the operating system and Web server application, it is 

important that they are identical otherwise it is possible that too much or too little access may 

be granted to users.  Web administrators should consider from two perspectives how best to 

configure these access controls to protect information stored on their public Web server: 

Limit the access of the Web server software to a subset of computational resources 

Limit the access of users through additional access controls enforced by the Web 

server, where more detailed levels of access control are required.  

The proper setting of access controls can help prevent the disclosure of sensitive or restricted 

information that is not intended for public dissemination.  In addition, access controls can be 

used to limit resource use in the event of a DoS attack against the public Web site. 

Typical files to which access should be controlled are as follows: 

Application software and configuration files  

Files related directly to security mechanisms: 

Password hash files and other files used in authentication 

Files containing authorization information used in controlling access 

Cryptographic key material used in confidentiality, integrity, and non repudiation 

services. 

Server log and system audit files  

System software and configuration files.  

5.2.1  Configuring the Permissions of the Web Server Application 

The first step in configuring access controls is to ensure that the Web server executes only 

under a unique individual user and group identity with very restrictive access controls.  Thus, 

new user and group identities to be used exclusively by the Web server software need to be 

established.  This new user and new group should be made independent and unique from all 

other users and groups.  This is a prerequisite for implementing the access controls described 

in the following steps.  Although the server may initially have to run as root (Unix) or 

system/administrator (Windows NT/2000/XP) to bind to Transmission Control Protocol (TCP) 

ports 80 and/or 443 (used respectively to provide HTTP and HTTPS services), do not allow 

the server to continue to run at this level of access. 

28