Website security is more important than ever. Web servers, which host the data and other content available to your customers on the Internet, are often the most targeted and attacked components of a company’s network. Cybercriminals are constantly looking for improperly secured websites to attack, while many customers say website security is a top consideration when they choose to shop online. As a result, it is essential to secure servers and the network infrastructure that supports them. The consequences of a security breach are great: loss of revenues, damage to credibility, legal liability, and loss of customer trust.
The following are examples of specific security threats to web servers.
- Cybercriminals may exploit software bugs in the webserver, underlying operating system, or active content to gain unauthorized access to the webserver. Examples of unauthorized access include gaining access to files or folders that were not meant to be publicly accessible and being able to execute commands and/or install malicious software on the webserver.
- Denial-of-service attacks may be directed at the webserver or its supporting network infrastructure to prevent or hinder your website users from making use of its services. This can include preventing the user from accessing email, websites, online accounts, or other services. The most common attack occurs when the attacker floods a network with information so that it can’t process the user’s request.
- Sensitive information on the webserver may be read or modified without authorization.
- Sensitive information on backend databases that are used to support interactive elements of a web application may be compromised through the injection of unauthorized software commands.
- include Structured Query Language (SQL) injection, Lightweight Directory Access Protocol (LDAP)
- injection and cross-site scripting (XSS).
- Sensitive unencrypted information transmitted between the web server and the browser may be intercepted.
- Information on the web server may be changed for malicious purposes. Website defacement is a commonly reported example of this threat.
- Cyber criminals may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the web server.
- Cyber criminals may also attack external entities after compromising a web server. These attacks can be launched directly (e.g., from the compromised server against an external server) or indirectly (e.g., placing malicious content on the compromised web server that attempts to exploit vulnerabilities in the web browsers of users visiting the site).
- The server may be used as a distribution point for attack tools, pornography or illegally copied software.
Carefully plan and address the security aspects of the deployment of a public webserver. Because it is much more difficult to address security once deployment and implementation have occurred, security should be considered from the initial planning stage. Businesses are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. Developing such a plan will support web server administrators in making the inevitable tradeoff decisions between usability, performance, and risk. Businesses also need to consider the human resource requirements for the deployment and continued operation of the webserver and supporting infrastructure. The following points are in a deployment plan.
- Types of personnel required — for example, system and web server administrators, webmasters, network administrators and information systems security personnel.
- Skills and training required by assigned personnel.
- Individual (i.e., the level of effort required of specific personnel types) and collective staffing (i.e., overall level of effort) requirements.
Implement appropriate security management practices and controls when maintaining and operating a secure web server. Appropriate management practices are essential to operate and maintain a secure web server. Security practices include the identification of your company’s information system assets and the development, documentation, and implementation of policies, and guidelines to help ensure the confidentiality, integrity, and availability of information system resources. The following practices and controls are recommended.
- A business-wide information system security policy.
- Server configuration and change control and management.
- Risk assessment and management.
- Standardized software configurations that satisfy the information system security policy.
- Security awareness and training.
- Contingency planning, continuity of operations and disaster recovery planning.
- Certification and accreditation.
Ensure that web server operating systems meet your organization’s security requirements. The first step in securing a web server is securing the underlying operating system. The most commonly available web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use at the expense of security. Because manufacturers are not aware of each organization’s security needs, each web server administrator must configure new servers to reflect their business’ security requirements and reconfigure them as those requirements change. Using security configuration guides or checklists can assist administrators in securing systems consistently and efficiently. Initially securing an operating system initially generally includes the following steps.
- Patch and upgrade the operating system.
- Change all default passwords
- Remove or disable unnecessary services and applications.
- Configure operating system user authentication.
- Configure resource controls.
- Install and configure additional security controls.
- Perform security testing of the operating system.
Ensure the web server application meets your organization’s security requirements. In many respects, the secure installation and configuration of the web server application will mirror the operating system process discussed above. The overarching principle is to install the minimal amount of web server services required and eliminate any known vulnerabilities through patches or upgrades. If the installation program installs any unnecessary applications, services, or scripts, they should be removed immediately after the installation process concludes. Securing the web server application generally includes the following steps.
- Patch and upgrade the web server application.
- Remove or disable unnecessary services, applications and sample content.
- Configure web server user authentication and access controls.
- Configure web server resource controls.
- Test the security of the web server application and web content.
Ensure that only appropriate content is published on your website. Company websites are often one of the first places cybercriminals search for valuable information. Still, many businesses lack a web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access and what information should not be published to any publicly accessible repository. Some generally accepted examples of what should not be published or at least should be carefully examined and reviewed before being published on a public website include:
- Classified or proprietary business information.
- Sensitive information relating to your business’ security.
- Medical records.
- A business’ detailed physical and information security safeguards.
- Details about a business’ network and information system infrastructure — for example, address ranges, naming conventions and access numbers.
- Information that specifies or implies physical security vulnerabilities.
- Detailed plans, maps, diagrams, aerial photographs and architectural drawings of business buildings,
- properties or installations.
- Any sensitive information about individuals that might be subject to federal, state or, in some instances, international privacy laws.
Ensure appropriate steps are taken to protect web content from unauthorized access or modification. Although the information available on public websites is intended to be public (assuming a credible review process and policy is in place), it is still important to ensure that information cannot be modified without authorization. Users of such information rely on its integrity even if the information is not confidential. Content on publicly accessible web servers is inherently more vulnerable than information that is inaccessible from the Internet, and this vulnerability means businesses need to protect public web content through the appropriate configuration of web server resource controls. Examples of resource control practices include.
- Install or enable only necessary services.
- Install web content on a dedicated hard drive or logical partition.
- Limit uploads to directories that are not readable by the web server.
- Define a single directory for all external scripts or programs executed as part of web content.
- Disable the use of hard or symbolic links.
- Define a complete web content access matrix identifying which folders and files in the web server
- document directory are restricted, which are accessible, and by whom.
- Disable directory listings.
- Deploy user authentication to identify approved users, digital signatures and other cryptographic
- mechanisms as appropriate.
- Use intrusion detection systems, intrusion prevention systems and file integrity checkers to spot intrusions and verify web content.
- Protect each backend server (i.e., database server or directory server) from command injection attacks.
Use active content judiciously after balancing the benefits and risks. Static information resided on the servers of most early websites, typically in the form of text-based documents. Soon thereafter, interactive elements were introduced to offer new opportunities for user interaction. Unfortunately, these same interactive elements introduced new web-related vulnerabilities. They typically involve dynamically executing code using a large number of inputs, from web page URL parameters to hypertext transfer protocol (HTTP) content and, more recently, extensible markup language (XML) content. Different active content technologies pose different related vulnerabilities, and their risks should be weighed against their benefits. Although most websites use some form of active content generators, many also deliver some or all of their content in a static form.
Use authentication and cryptographic technologies as appropriate to protect certain types of sensitive data. Public web servers often support technologies for identifying and authenticating users with differing privileges for accessing information. Some of these technologies are based on cryptographic functions that can provide a secure channel between a web browser client and a web server that supports encryption. Web servers may be configured to use different cryptographic algorithms, providing varying levels of security and performance. Without proper user authentication in place, businesses cannot selectively restrict access to specific information. All information that resides on a public web server is then accessible by anyone with access to the server. In addition, without some process to authenticate the server, users of the public web server will not be able to determine whether the server is the “authentic” web server or a counterfeit version operated by a cyber-criminal. Even with an encrypted channel and an authentication mechanism, it is possible that attackers may attempt to access the site by brute force. Improper authentication techniques can allow attackers to gather valid usernames or potentially gain access to the website. Strong authentication mechanisms can also protect against phishing attacks, in which hackers may trick users into providing their personal credentials, and pharming, in which traffic to a legitimate website may be redirected to an illegitimate one. An appropriate level of authentication should be implemented based on the sensitivity of the web server’s users and content.
Employ network infrastructure to help protect public web servers. The network infrastructure (e.g., firewalls, routers, intrusion detection systems) that supports the web server plays a critical security role. In most configurations, the network infrastructure will be the first line of defense between a public web server and the Internet. Network design alone, though, cannot protect a web server. The frequency, sophistication, and variety of web server attacks perpetrated today to support the idea that web server security must be implemented through layered and diverse protection mechanisms, an approach sometimes referred to as “defense-in-depth.”
Commit to an ongoing process of maintaining web server security. Maintaining a secure web server requires constant effort, resources, and vigilance. Securely administering a web server on a daily basis is essential. Maintaining the security of a web server will usually involve the following steps.
- Configuring, protecting and analyzing log files.
- Backing up critical information frequently.
- Maintaining a protected authoritative copy of your organization’s web content.
- Establishing and following procedures for recovering from compromise.
- Testing and applying patches in a timely manner.
- Testing security periodically.