TCP Wrappers provides protection by replacing the service executable with a service that
Chapter 13: Web Server Security
Overview This chapter discusses the best practices used to keep web servers secure when they are publicly available. Web and e-mail servers are the two most difficult security problems you will encounter, because in most cases they must be open to the public in order to fulfill their purpose. With the exception of exploits based on specific bugs, most web server security problems are generic in nature. Most of this chapter deals with practical security measures for any web server. Because 90 percent of the Internet is run on Apache and IIS, those two web servers are covered specifically. You’ve probably heard about security problems with cookies, ActiveX controls, Java applets, and multimedia plug-ins like Real Player. These technologies are problematic, but they only affect the client side—they are not a problem for servers that inspect them or provide them. Serving ActiveX or Java applets is not a security problem for servers, and can frequently be used to provide enhanced server-side security by creating a proprietary interface to your web application that would be far more difficult to hack than a typical HTTP-based interface, if you can entice users to actually download your controls. This chapter doesn’t discuss the security ramifications of web browsing—that problem is well covered in the rest of this book. Web Security Problems Bugs in the web server application are the most threatening security problem you will run into when securing web servers. Flaws in the operating system and web server applications are routinely exploited by hackers, and no matter how well you’ve secured your server, there’s very little you can do to prevent these sorts of attacks. In closed-source operating systems, only vendors can repair their code, and the level of support varies widely. Microsoft has been very proactive about patching their web server, Internet Information Server IIS; in fact, a constant torrent of patches flows from them on almost a weekly basis. Novell, on the otherParts
» The process of determining the identity of a user is called authentication.
» Using unpredictable sequence numbers secures sessions against hijacking.
» Biometric authentication includes the use of fingerprints, speech patterns, facial features,
» Connecting to executable content like ActiveX or Java controls that can exploit the
» Why doesnt a digital signature mean that an ActiveX control is secure?
» A security policy describes security rules for your computer systems and defends against
» The first step in establishing a security policy is to establish functional requirements,
» Automated security policies avoid the weakness of having to be enforced by humans.
» Users should not be required to change passwords often; rather, they should select
» Why is it important that every firewall on your network have the same security
» The most important border security measure is to control every crossing.
» Your effective border security is the lowest common denominator amongst the policies
» Theres no way to address computers directly since the public address connection has to use
» What common sense measure can you take to ensure the reliability and speed of a
» What encryption algorithm is specified for L2TP?
» The three fundamental methods implemented by VPNs are encapsulation, authentication,
» IKE enables cryptographic key exchange with encryption and authentication protocol
» Use the same or the fewest possible ISP for all VPN endpoints.
» The most common VPN protocol is IPSec with IKE.
» Are VPNs always the most secure way to provide remote access to secure
» VPN connections are potentially dangerous because the VPN endpoint could be exploited,
» Laptops are easy to steal and may contain all the information necessary to connect to the
» Laptops the most likely source of virus infection in a protected network because they are
» Using NAT devices or light firewall devices is the best way to protect home computers
» Encrypting documents stored on the laptop reduce the risk posed by lost information when
» Storing data on removable flash media in encrypted form that is not stored with the laptop
» No. Opening a single secure protocol to direct access is usually more secure than allowing
» Where do viruses come from? 2. Can data contain a virus?
» Do all viruses cause problems? 4. What is a worm?
» If you run NT kernel-based operating systems, do you still need anti-virus
» Where is anti-virus software typically installed?
» Hackers write viruses. Virus Protection
» No. Pure data can be corrupted by a virus, but only executable code can contain a virus.
» No. Only applications that allow you to write macros and which contain a scripting host
» Microsoft Outlook and Outlook Express are susceptible to e-mail viruses.
» Yes. NT kernel-based operating systems are only immune to executable viruses when run
» Why is RAID-0 not appropriate as a form of fault tolerance?
» What are the two common types of clustering?
» The hard disk is the most difficult component to replace in a computer.
» Deployment testing is the easiest way to avoid software bugs and compatibility problems.
» Strong border security, permissions security, and offline backup are the best ways to
» Tape backups are the most common form of fault tolerance.
» An incremental backup contains all the files changed since the last incremental backup,
» RAID-1 and RAID-0 are combined in RAID-10.
» Since you have to leave 1 disk for parity information, the storage available would be 5-1
» Yes. Share security works on FAT file system shares.
» What is the primary security mechanism in Unix? 6. Which component stores permissions?
» Which two commands are typically used to modify ownership and permissions on
» ATT essentially lost control of its development of Unix when they gave it away to
» File system permissions are the primary security mechanism in Unix.
» File inodes store permissions in Unix.
» The GID of the wheel or superuser group is 0.
» Read, Write, and Execute are the basic permissions that can be set in an inode.
» Nothing. Daemons are standard executables that run using SetUID permissions.
» What do IPChains and IPTables provide? 11. What functionality does FWTK provide?
» PAM provides a standardized method for services to authenticate users against a wide
» Yes, Samba passwords are encrypted by default in Windows, and encryption can be
» TCP Wrappers provides protection by replacing the service executable with a service that
» IPChains and IPTables provide TCPIP packet filtering.
» FWTK provides protocol level filtering and a proxy service.
» How do you configure Apache?
» What is taint? Web Server Security
» Microsoft Internet Information Services and Apache serve over 90 percent of the public
» The bugs in the operating system or web server software are the most threatening security
» Closed source and open source operating systems are about equally secure.
» Websites should only be deployed on dedicated web servers, because general purpose
» SSL encrypts web data flowing between the browser and the server.
» You can secure intranet servers by placing them inside a VPN and not making them
» The universal encrypted authentication mechanism is using SSL to secure basic
» Illegal spammers use open relays, relays that will relay mail from any host rather than just
» To close an open relay, require some form of authentication from those who want to send
Show more