Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: webserver security issues

from [krymson] Network Security [Permanent Link]
Subject: Re: webserver security issues
Date: 25 Apr 2007 16:05:35 -0000 
This is an amazingly broad question that entire books are written about: 
securing web servers.

NIST has docs you might find useful:
Guide on Securing Public Web Servers
http://csrc.nist.gov/publications/nistpubs/index.html

The NSA has a few. While their web section is growing dated, their OS section 
is nice.
http://www.nsa.gov/snac/


Lastly, here's a few broad areas to keep in mind about securing a web server 
(this is off the top of my head, so...

1. Application - Whatever applications or sites you are serving up on your web 
server will need to be secured. Sometimes you can do a lot on the other parts 
of your web server, but if you insist on running an old vulnerable phpBB 
version, you're just going to constantly get owned. 

2. The OS needs to be hardened per standards for your OS version.

3. The network needs to be hardened to protect traffic and other possible 
network-borne attacks or data pilfering. (Typically this is not part of 
building a web server, per se, but keep it in mind.) This might include what 
sorts of environmental (Active Directory, Database, etc) remote access rights 
your services run under. Does the application connect to your database using an 
SA account or widespread domain access when it is not necessary?

4. The web server application (typically IIS, Apache, or Tomcat) needs to be 
hardened. Googling "Apache Security" or whatever app you use should help a lot.

5. Who has access to the server and the code? If you have 20 developers all of 
whom can deploy code to your site directly, any one of them may purposely or 
accidentally be allowed to post bad code. Evaluate the needs and make sure 
process is in place for QA, code review, testing on a development server, maybe 
a non-developer pushes the code, etc.

6. Lastly, and most importantly, make sure you have a backup strategy. If you 
make a mistake (and let's face it, we all do) and get compromised or lose data, 
you will want backups of the data. Try to maintain documentation on the server 
and your setup so that you can duplicate your efforts and/or identify where you 
made the mistake.

There's tons more angles to look at...but maybe some of this will help get you 
in the right mindset.


<- snip ->
Hii we are in a process of building a webserver for our company and i am giving 
the task of finding the security issues in webserver building , can any of u 
let me know about the security issues in a webserver,and we have a internet 
leased line of 2mb , getting a new leased line for the webserver is good or 
upgrading the existing one to 4mb, your quick response i highly appreciated.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Hex editor, Jordan, Jason
Next by Date:  RE: Value of certifications, Brian Bemis
Previous by Thread:  Re: webserver security issues, fskrc1
Next by Thread:  personal firewall recommendation, dominus
Indexes:  [Date] [Thread] [Top] [All Lists]