Web Server Security Essentials
Web Server Security Essentials 101
One of the many information security challenges facing organizations today is that of web servers and their overall security. Advances in technology, such as reduced costs for bandwidth and CPU resources, along with a growing move towards cloud based infrastructures, have resulted in dramatic increases in the deployment of web servers. Generally speaking, web servers (both the residing hardware and software) work in unison, sending and receiving content to end-users (i.e., clients) by executing any number of processes. From e-commerce systems to Software as a Service (SaaS) platforms, web servers are a vital component for a growing number of organizations.
Attacks are on the Rise to Web Servers
Because of their importance, measures must be implemented for ensuring that these devices have been appropriately provisioned, hardened, secured, and locked-down in order to mitigate and hopefully eliminate the ever-growing dangers associated with them. SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and numerous other damaging tactics can paralyze an organization's I.T. infrastructure, often resulting in data breaches to sensitive information. As such, it's vitally important to secure web servers from today's growing list of attacks. Additionally, Denial of Service (DoS) attacks and other malicious activities against an organization's network often result in disruption of services from the ever-important web servers. The Apache HTTP Server (Apache) and Microsoft's Internet Information Services (IIS) are the two most prominent types of web servers with approximately 80% of market share.
Furthermore, a number of well-recognized organizations and associations, such as The Open Web Application Security Project, known as OWASP, have built a strong following online for their ongoing contributions to the field of application security. They've become well-known for their Top 10 list of Web Application Security Risks (https://www.owasp.org/index.php/Top_10). Many of these security risks unfortunately find themselves within applications residing on web servers, thus it’s highly essential to understand the importance of proper application development for web based software.
Web server security is a large, complex and ever-growing field that continues to challenge organizations on a daily basis, thus your goals for securing these platforms should be multi-faceted: (1). Properly provision, harden, secure, and lock-down your web servers for initial install and deployment. (2). Utilize only properly coded application software with an emphasis on security. (3). Securely position web servers within your network topology (logically speaking) in a manner that does not compromise other critical system resources (i.e., database servers, etc.). (4). be diligent in applying a formalized and structured patch management program to them, (5). Along with numerous other information security best practices.
Take note of the following best practices for helping ensure the safety and security of your web servers:
Planning is Essential
Appropriate planning measures should always be undertaken for web servers that incorporate a number of critical provisions necessary for ensuring the confidentiality, integrity, and availability (CIA) of these respective system resources. Because web servers can provide an almost unlimited range of web services, authorized personnel with one’s organization should thoroughly research, identify, and document information pertaining to notable issues, such as the following:
- Overall purpose of the web server, such as the services they are to provide.
- Type of information being stored, processed, and/or transmitted via the web server and the explicit security requirements for such information, such as regulatory compliance laws, legislation and mandates.
- The interdependencies to other systems within an organization’s network architecture that have an association with the web servers, such as internal database servers and other critical system resources (i.e., hosts) and their respective security requirements regarding confidentiality, integrity, and availability (CIA).
- The use of any modules, plug-ins, or other supporting software applications and/or hardware devices and appliances that will be used in conjunction with the web servers, such as proxy servers, content filtering mechanisms, etc.
- If virtualization is being used, what specific platforms is/are being considered.
- Physical and/or logical placement of the web servers onto the network.
- Ports, protocols, and services to be utilized.
- Software to be utilized, specifically, the underlying operating system to be used, along with any additional software residing on the server itself.
- Personnel responsible for securing, hardening, provisioning, locking-down, deploying and also maintaining the web servers.
- Authentication, Authorization, and Accounting (AAA) procedures to use for accessing web servers along with documenting such access.
- Financial analysis for determining all hard costs associated with the web servers, which generally includes the following items: (1). Hardware. (2). Licensing, (if applicable) relating to the underlying operation system and any additional software to be installed. (3). Training, support, and maintenance).
Data and Information Classification
Data and information being stored, processed, and/or transmitted on web servers that are owned, operated, maintained and controlled by an organization should have appropriate classification levels in place, such as the following:
- Unclassified | Public Information
- Company Confidential
- Client Confidential
- Trade Secret
- Top Secret
It’s important to know the type of data being stored and transmitted on web servers, especially in today’s world of regulatory compliance that includes strict security provisions for ensuring the safety and security of Personally Identifiable Information (PII).
Appropriate security measures must also be implemented, which includes all necessary physical security controls, such as those related to the safety and security of the actual hardware (i.e., servers) for which the web servers reside on. This requires the use of a computer room or other designated area (facility) that is secured and monitored at all times, whereby only authorized personnel have physical access to the specified system resource. Thus, "secured" and "monitored" implies that the facility has in place industry leading physical security and environmental security controls.
Employees responsible for general provisioning, maintenance and security of one’s web servers are those deemed to be professional, well-skilled, and competent individuals. Remember that hardware and software solutions provided by vendors are only as good as the individuals who deploy their services, thus I.T. employees are to strive at all times to continue to enhance their knowledge base with the following measures:
- Attending security and technology conferences and seminars, both online and at physical locations.
- Subscribing to alert forums, messaging boards and other online organizations and associations.
- Subscribing to hard-copy magazine and newsletter publications.
- Undertaking Continuing Professional Education (CPE) courses and related activities.
- Willingness to attain additional certifications within the Information Technology field as a whole.
Provisioning and Hardening
All web servers should also be properly provisioned, hardened, secured, and locked-down for ensuring their confidentiality, integrity, and availability (CIA). Improperly or poorly provisioned systems can often result in network exploitation by hackers, malicious individuals, and numerous other external, and internal threats. Best practices for web server provisioning and hardening consist of the following:
- Consult with vendor specific personnel and/or applicable vendor websites and other trusted third-party sources for determining any known security issues.
- Visit the NIST National Vulnerability Database at http://web.nvd.nist.gov/view/ncp/repository to further determine if any known vulnerabilities exist.
- Install the web server software onto a predetermined host system (i.e., physical or logical server environment), and for which the host system itself is strictly limited to one primary function.
- Apply all necessary patches and security upgrades.
- Remove or disable all unnecessary services, accounts, scripts, executables, etc.
- Implement unique, "non-descriptive" directory names, filenames, and locations.
- Implement appropriate access controls in accordance with Authentication, Authorization, and Accounting (AAA) practices, which essentially limits access to the web server software to authorized personnel and only to the minimum resources necessary to perform their respective job functions.
- Create session timeouts.
- Ensure that all critical web server software files for configuration, security, and logging and reporting (i.e., audit trails) are not logically contained within the same directories and files where the public web server content resides.
- Implement features for ensuring that sensitive, non-public information is never to be indexed with the search engines, such as using the Robots.txt text, in conjunction with statements such as "user agent" and "disallow".
- Undertake all necessary operating system provisioning and hardening procedures.
Secure Network Architecture
It’s important to remember that web servers should be placed (logically and physically) within an organization’s network architecture as best determined by authorized I.T. personnel for ensuring their confidentiality, integrity, and availability (CIA). A critical component of securing web servers is the implementation of a safe and secure network infrastructure; one that provides the necessary design and technical configuration for allowing such devices to function as intended. Often times, a DMZ is a critical component of web server placement, one that allows untrusted traffic to be filtered first via firewall rules.
Secure Coding Guidelines
Custom applications (i.e., internally developed and/or developed by third-parties) for [company name] residing on web servers must always be developed in accordance with industry leading secure coding guidelines, while also following a structured and formalized process for the entire software development life cycle (SDLC). This is a critical requirement for web servers as they continue to be a constant source of attack and target for hackers and other malicious individuals seeking to comprise their confidentiality, integrity, and availability (CIA).
And while there are numerous types of attack vectors and strategies used by individuals, there are also many provisioning, hardening, and coding weaknesses found within web servers also. As a result, developers should strive to incorporate and utilize industry leading resources for ensuring secure coding guidelines are met at all times.
Along with having well-documented policies, procedures, and supporting provisioning and hardening checklists, additional reference material is widely available on the internet from a number of trusted sources. Administrator guides and other supporting information from Apache and Microsoft are readily available and free to download, so use them extensively.
Access rights to web servers should always be limited to authorized personnel only, with all end-users being properly provisioned in accordance with an organization’s documented access rights policies and procedures. This includes using all applicable provisioning and de-provisioning forms as necessary along with ensuring users' access rights incorporate Role Based Access Control (RBAC) protocols or similar access control initiatives.
Lastly, because web servers can be compromised by brute force attacks (i.e., an exhaustive strategy whereby every possible combination of letters, numbers, and symbols are used for "password" cracking on various accounts), it's critically important that authorized I.T. personnel implement the following Defense in Depth and Layered Security regarding authentication measures to web servers:
- Implement strong authentication measures, such as adherence to all stated password complexity requirements, system lockout policies, along with possible two (2) factor authentication initiatives, such as something you "know," something you "are," or something you "have."
- Blacklisting IP addresses found to be conducting malicious attacks against one’s web servers.
Malicious software (malware) poses a critical security threat to web servers, thus effective measures are to be in place for ensuring protection against viruses, worms, spyware, adware, rootkits, trojan horses, and many other forms of harmful code and scripts. It means having anti-virus (AV) solutions deployed on all web servers, with the applicable AV being the most current version available from the vendor, enabled for automatic updates and configured for conducting periodic scans as necessary. The seriousness of malware and its growing frequency of attacks within organizations requires that all I.T. personnel stay abreast of useful tools and programs that are beneficial in combating harmful code and scripts.
Change Control | Change Management
Changes made to configuration settings (i.e., operating system and application(s) changes) to web servers must require authorized users to initiate an incident and/or change request, which includes completing all applicable forms as necessary. Furthermore, the request must be thoroughly documented, which includes providing essential information, such as the following:
(1). An assigned I.D. or change tracking number.
(2). Representation of all critical dates relating to the requested change itself.
(3). Default fields for categorizing (i.e., normal change or emergency change, etc.) and prioritizing (i.e., critical to routine maintenance) the requested change itself.
(4). Documented notation, communication and correspondence throughout the life of the requested change itself.
All necessary system patches and system updates for web servers (those defined as critical from a security perspective) must be obtained and deployed in a timely manner as designated by the following software vendor and/or other trusted third-parties: (1). Vendor websites and email alerts. (2). Vendor mailing lists, newsletters and additional support channels for patches and security. (3). Third-party websites and email alerts. (4). Third-party mailing lists. (5). Approved online forums and discussion panels. Effective patch management and system updates help ensure the confidentiality, integrity, and availability (CIA) of systems from new exploits, vulnerabilities and other security threats.
Patching is so critically important in today’s world of growing cyber security threats and attacks, and especially to web servers, so make it a priority.
Comprehensive auditing & monitoring initiatives for web servers must be implemented that effectively identify and capture the following events: (1). All authentication and authorization activities by all users and their associated accounts, such as log on attempts (both successful and unsuccessful). (2). Any creation, modification or deletion of various types of events and objects (i.e., operating system files, data files opened and closed and specific actions, such as reading, editing, deleting, printing). (3). All actions undertaken by system administrators who have elevated privileges and access rights.
Additionally, for each event described above, the following attributes should be captured: (1). type of event that occurred and on what system level and/or application level did it occur on. (2). date and time of the event. (3). identity of the user, such as the log-on ID. (4). origination of the event. (5). outcome of the event, such as the success or failure of the event. (6). name of the affected system.
Configuration and Change Monitoring
Furthermore, the use of specialized software, such as File Integrity Monitoring (FIM), Host based Intrusion Detection Systems (HIDS), and/or change detection software programs should also be implemented for monitoring web servers, as they provide the necessary capabilities for assisting in the capture of all the above-stated, required events. Additionally, configuration change monitoring tools should also be used to detect any file changes made within a specified system resource, ranging from changes to commonly accessed files and folders, to more granular based data, such as configuration files, executables, rules, and permissions. Changes made should thus result in immediate alerts being generated with appropriate personnel being notified. Moreover, these tools effectively aid in capturing and forwarding all events in real-time, thus mitigating issues relating to native logging protocols, which can be accessed by users with elevated privileges on the web servers themselves, resulting in the disabling and modification of its services and the resulted output.
Performance and Utilization Monitoring
Additional measures are to be employed for ensuring that web servers are actively being monitored for all necessary performance and utilization measures, which can be conducted by utilizing the following specific tools for web Servers:
- Kernel tools
- Numerous third-party tools available by a host of different vendors, such as Nagios and Cacti.
Thus, the actual server (i.e., hardware) for which the web server software resides on should be proactively monitoring, at a minimum, the following conditions:
- CPU Utilization
- Memory Utilization
- Disk Utilization
- Network Utilization
Logging and Reporting
Along with capturing all necessary events as described in the various monitoring categories above, effective protocols and supporting measures should be implemented for ensuring all required events and their associated attributes are logged, recorded, and reviewed as necessary. Additionally, all applicable elevated permissions (those for administrators) along with general access rights permissions (those for end-users) to web servers should reviewed on a regular basis by an authority that is independent from all known users (i.e., end-users, administrator, etc.) and who also has the ability to understand, interpret, and ultimately identify any issues or concerns from the related output (i.e., log reports, and other supporting data).
Moreover, protocols such as syslog and other capturing and forwarding protocols and, or technology, such as specialized software applications, should be used as necessary, along with employing security measures that protect the confidentiality, integrity, and availability (CIA) of the audit trails and their respective log reports (i.e., audit records) that are produced.
Documented Business Continuity and Disaster Recovery Planning (BCDRP) is vital to protecting all organizational assets, along with ensuring rapid resumption of critical services in a timely manner. Because disasters and business interruptions are extremely difficult to predict, it is the responsibility of authorized personnel to have in place a fully functioning BCDRP process, and one that also includes specific policies, procedures, and supporting initiatives relating to all system resources, including critical web servers.
In summary, the need for ensuring the confidentiality, integrity, and availability (CIA) of one’s critical web servers has never been more important, and it starts by implementing the aforementioned policies, procedures, process, and related best practices. The digital world is upon us, and web servers are a vital component for sending and receiving information in today’s ever-growing cyber society. Protecting these systems is absolutely critical.