10. What do IPChains and IPTables provide? 11. What functionality does FWTK provide? Answers 1. There is no standard file-sharing mechanism for UNIX, because UNIX was developed before Local Area Networks made file sharing popular. 2. Secure Shell SSH is the most secure protocol for remotely logging on to a Unix computer. 3. SMTP has no authentication mechanisms.

4. PAM provides a standardized method for services to authenticate users against a wide

array of authentication mechanisms.

5. NIS provides no encryption.

6. Kerberos uses Secret Key encryption. 7. File sharing protocols are capable of transmitting segments of files and allowing multiple users to access files simultaneously. FTP does not have these capabilities.

8. Yes, Samba passwords are encrypted by default in Windows, and encryption can be

enabled in Samba and most other SMB implementations.

9. TCP Wrappers provides protection by replacing the service executable with a service that

first authenticates the source of the connection, and then allows access to the service.

10. IPChains and IPTables provide TCPIP packet filtering.

11. FWTK provides protocol level filtering and a proxy service.

Terms to Know • Terms to Know • credentials • daemon • Distributed Computing Environment DCE • distributed logon • export • file shares • file sharing protocol • File Transfer Protocol FTP • IPChains • IPTables • kerberized • Kerberos • Key Distribution Center KDC • Lightweight Directory Access Protocol LDAP • Local Area Network LAN • Network File System NFS • Network Information Service NIS • one-time passwords • PAMed • Pluggable Authentication Modules PAM • realm • remote access • remote logon • secure shell SSH • security domain • share • shell • single signon • smart cards • spam • TCP Wrappers • terminal • ticket • Ticket Granting Ticket TGT • user context • yellow pages yp

Chapter 13: Web Server Security

Overview This chapter discusses the best practices used to keep web servers secure when they are publicly available. Web and e-mail servers are the two most difficult security problems you will encounter, because in most cases they must be open to the public in order to fulfill their purpose. With the exception of exploits based on specific bugs, most web server security problems are generic in nature. Most of this chapter deals with practical security measures for any web server. Because 90 percent of the Internet is run on Apache and IIS, those two web servers are covered specifically. You’ve probably heard about security problems with cookies, ActiveX controls, Java applets, and multimedia plug-ins like Real Player. These technologies are problematic, but they only affect the client side—they are not a problem for servers that inspect them or provide them. Serving ActiveX or Java applets is not a security problem for servers, and can frequently be used to provide enhanced server-side security by creating a proprietary interface to your web application that would be far more difficult to hack than a typical HTTP-based interface, if you can entice users to actually download your controls. This chapter doesn’t discuss the security ramifications of web browsing—that problem is well covered in the rest of this book. Web Security Problems Bugs in the web server application are the most threatening security problem you will run into when securing web servers. Flaws in the operating system and web server applications are routinely exploited by hackers, and no matter how well you’ve secured your server, there’s very little you can do to prevent these sorts of attacks. In closed-source operating systems, only vendors can repair their code, and the level of support varies widely. Microsoft has been very proactive about patching their web server, Internet Information Server IIS; in fact, a constant torrent of patches flows from them on almost a weekly basis. Novell, on the other