1 / 14

Installing and Configuring a Secure Web Server

Installing and Configuring a Secure Web Server. COEN 351 David Papay. Objectives. Background Planning for security Physical and network security OS/web server installation and hardening Application server installation and hardening Maintenance and operations. Requirements.

najila
Download Presentation

Installing and Configuring a Secure Web Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Installing and Configuring a Secure Web Server COEN 351 David Papay

  2. Objectives • Background • Planning for security • Physical and network security • OS/web server installation and hardening • Application server installation and hardening • Maintenance and operations

  3. Requirements • Need to bring a new external web server online to host our Internet web site (www.gd-ais.com) • Windows 2000, IIS 5.0, ColdFusion (application server) • No sensitive information, no “store front” or other web apps to protect. • Want protection from: • Defacement • Use as a jumping-off point to the rest of our network. • Serve as an example for future secure web server installations

  4. Planning • Security concerns should be identified and planned for from the very beginning. • It is much harder and more error-prone to “add security later.” Reference: Develop a computer deployment plan that includes security issues. http://www.cert.org/security-improvement/practices/p065.html

  5. Planning • Examples of things to consider: • Purpose(s) of the server • Security requirements • Internet service(s) needed (e.g., http, ftp) • Categories of users, their privileges, and how they will be authenticated. • Patching, backup, and virus detection procedures

  6. Physical Security and Network Environment • Server is in a physically secure location • Consequences of this decision • Firewall and DMZ configuration • Consider an application layer firewall • Network-based IDS Reference: Guidelines on Securing Public Web Servers, chapter 8. http://cs-www.ncsl.nist.gov/publications/nistpubs/800-44/sp800-44.pdf

  7. Windows and IIS Installation • Install only necessary Windows and IIS components. • Install all patches and updates. • Run HotFix Checker, MBSA. • Document and baseline current configuration. • Note that W2k3 has alleviated the need for some of this. References: Microsoft documentation, TechNet, Knowledge Base articles.

  8. Windows and IIS Hardening • This definitely consumed the most time (in terms of research, implementation, and testing). • Just because Windows and IIS have been minimally installed, updated, and patched, it does not mean your server and site are secure!

  9. Windows and IIS Hardening • Examples of Windows hardening: • Remove/disable unneeded default accounts and groups. • Rename necessary predefined accounts. • Least privilege for accounts and group. • Change default security settings on the file system • Windows Security Policies (e.g., strong passwords, account lockout, logging, auditing, user rights, unneeded services)

  10. Windows and IIS Hardening • Examples of IIS hardening: • Separate partitions for OS, web content, and log files. • Enable detailed logging. • Run IIS Lockdown Wizard, URLScan • Remove examples, documentation, and unneeded physical/virtual directories. • Remove server-identifying characteristics (e.g., http response headers, default error pages)

  11. Windows and IIS Hardening • Test to make sure you haven’t broken anything (e.g., anonymous web access, ability to update web content, indexing/searching web content). • Document and baseline current configuration.

  12. Windows and IIS Hardening • References/Resources: • Microsoft documentation, Knowledge Base articles, TechNet • NIST Computer Security Resource Center (CSRC) http://csrs.nist.gov/ • NSA Security Configuration Guides http://www.nsa.gov/snac/ • CERT: http://www.cert.org • US-CERT: http://www.us-cert.gov/

  13. ColdFusion installation and hardening (This applies to any third-party application server server) • Research the product and its vulnerabilities • Be aware of what the installer is doing • Install latest updates and patches • Protect against unknown vulnerabilities by following good security practices (e.g., least privilege, remove/disable unnecessary features, change default values) • Test, document, and baseline!

  14. Maintenance and operations • Regularly install patches and updates • Virus scanning • Backups • Log file analysis • From firewall(s), IDS, web server, and application server • A good log file filtering and analysis tool is essential.

More Related