S 5.4 Web servers
Description
The Internet is one of the primary media in today's information society. The information offered on the Internet is provided by servers delivering data, usually documents in the form of HTML pages, to the corresponding client programs. The information is usually delivered using the protocols HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP via SSL and/or TLS, which means HTTP is protected by an encrypted connection). In addition to their use on the internet, web servers are also increasingly being used for internal information and applications in corporate networks (intranet). One reason for this is that they offer a simple and standardised interface between server applications and users and appropriate client software (web browser) is available free of charge for practically every operating system environment.
The term web server (also referred to as WWW server) usually applies to the program that replies to the HTTP requests, as well as to the computer this program runs on. A number of security aspects need to be considered when using web servers.
Since a web server is a publicly accessible system, careful planning is required before setting up a web server and the secure installation and configuration of the system and its network environment are particularly important. Security in terms of web servers therefore includes a relatively large number of different areas, because a web server usually runs other server applications that are needed to operate the web server in addition to the web server application and the secure operation of these applications must be guaranteed as well. For example, data is usually transmitted to the server using a network (via ftp or scp, for example) or access to a database is required.
The provision of dynamic content and functions that go far beyond HTML are implemented with the help of web applications that are not the subject of this module.
Threat scenario
The following typical threats to the IT-Grundschutz of a web server and arising in connection with the use of the internet are assumed to exist:
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.4 | Insufficient monitoring of security safeguards |
| T 2.7 | Unauthorised use of rights |
| T 2.9 | Poor adjustment to changes in the use of IT |
| T 2.28 | Violation of copyright |
| T 2.32 | Inadequate line bandwidth |
| T 2.37 | Uncontrolled usage of communications lines |
| T 2.96 | Outdated or incorrect information on a website |
| T 2.100 | Errors on applying for and managing Internet domain names |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.37 | Unproductive searches |
| T 3.38 | Errors in configuration and operation |
Technical Failure
| T 4.10 | Complexity of access possibilities to networked IT systems |
| T 4.22 | Software vulnerabilities or errors |
| T 4.39 | Software design errors |
Deliberate Acts
| T 5.2 | Manipulation of information or software |
| T 5.19 | Abuse of user rights |
| T 5.20 | Misuse of administrator rights |
| T 5.21 | Trojan horses |
| T 5.23 | Malicious software |
| T 5.28 | Denial of services |
| T 5.48 | IP spoofing |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.78 | DNS spoofing |
| T 5.85 | Loss of integrity of information that should be protected |
| T 5.87 | Web spoofing |
| T 5.88 | Abuse of active content |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
This module describes the threats and safeguards applying specifically to a web server. Furthermore, module S 3.101 General server must be implemented for the security of the server, as well as modules S 3.102 Servers under Unix or S 3.108 Windows 2000 Server, depending in which operating system is used. If the website contains content generated dynamically by a web application using data from a database, module S 5.7 Databases also must be taken into consideration. Module S 1.8 Handling of security incidents should also be considered, especially if the web server can be accessed from the internet. If the web server offers web applications, the safeguards described in module S 5.21 Web applications must be implemented.
Module S 3.301 Security gateway (firewall) must be taken into account to ensure secure connection of a web server to a public network (for example the Internet), but also when connecting several intranets to form an organisation-wide intranet. The controlled connection of external access points (for example for telecommuting workplaces connecting via ISDN) is addressed in module S 5.8 Telecommuting.
A web server should be set up in a separate server room. The safeguards to be implemented in this case are described in S 2.4 Server room. If no server room is available, the web server can be set up in a server cabinet as an alternative (see module S 2.7 Protective cabinets). If the web server is not operated by the organisation itself, but by an external service provider instead, module S 1.11 Outsourcing must be taken into consideration.
A host of measures must be implemented to securely and successfully set up a web server. The steps to be followed in this case as well as the safeguards to implement in each phase are listed in the following.
Planning and design
Before a web server is configured, a web server security strategy should describe the security safeguards that must be implemented, including their extent (see S 2.173 Determining a web security strategy).
One important aspect of the security of a web server is relevant even before the web server exists: the planning and organisation of the website. Only when it has been clarified which goals are to be achieved with a website and which content or applications are offered to this end, can the corresponding safeguards ensure that security problems will be avoided to the greatest extent possible. Security aspects must therefore be taken into consideration very early in the planning phase so that the architecture under development can be designed to be sufficiently secure (see S 2.172 Developing a concept for using the web).
Furthermore, the information must be maintained and updated at regular intervals. The task of providing support for a website often involves several organisational units and technical support and content management are provided by different departments in many cases. Therefore, in order to ensure that the website works as smoothly as possible, corresponding general organisational conditions must be created. Ideally, a team of editors should be established to manage the website (see S 2.272 Setting up a web editorial team).
When planning and drawing up a concept as to how the information is to be provided on the web server, active content should be avoided (see S 4.360 Secure configuration of a web server).
Purchasing
A web server may also be operated by a service provider. Based on the web server security strategy and the requirements resulting from it, a suitable provider must be selected (see S 2.176 Selection of a suitable Internet service provider).
Implementation
Upon completion of the planning phase and after having installed the web server application on the server's operating system, the web server must be set up (see S 2.175 Setting up a web server) and configured (see S 4.360 Secure configuration of a web server) securely. The files and directories on a web server must be protected against unauthorised changes, but possibly also against unauthorised read access (see S 4.94 Protection of the web server files).
Operation
Upon completion of web server installation and configuration, normal operation is commenced. S2.174 Secure operation of a web server is intended to ensure that the relevant systems of the information cluster are kept up-to-date from a security point of view. For this, the web server must be updated regularly (see S 2.273 Prompt installation of security-relevant patches and updates) and the updates must be checked for manipulations (see S 4.177 Assuring the integrity and authenticity of software packages).
Contingency Planning
Only regular and comprehensive data backups can reliably guarantee the ability to restore the availability of all data stored in case of malfunctions, hardware failures, or (intentional or unintentional) deletion. The necessary safeguards are described in module S 1.4 Data backup policy.
When drawing up the business continuity plan, it is necessary to draw up a concept detailing how the effects of a failure can be minimised and which actions need to be taken in case of a failure. For this, a business continuity plan must be drawn up for the web server (see S 6.88 Creation of a business continuity plan for the web server). Additionally, the safeguards of module S 1.3 Business continuity management should be taken into consideration.
The bundle of security safeguards for web servers is presented in the following. The safeguards presented in other modules are not repeated here.
Planning and design
| S 2.172 | (A) | Developing a concept for using the web |
| S 2.173 | (A) | Determining a web security strategy |
| S 2.272 | (Z) | Setting up a web editorial team |
| S 2.298 | (B) | Administration of Internet domain names |
| S 4.34 | (Z) | Using encryption, checksums, or digital signatures |
| S 4.176 | (B) | Selection of an authentication method for web offerings |
| S 4.359 | (W) | Overview of the web server components |
| S 5.64 | (Z) | Secure Shell |
| S 5.66 | (B) | Use of TSL/SSL |
| S 5.159 | (W) | Overview of protocols and communication standards for web servers |
| S 5.160 | (W) | Authentication to web servers |
Purchasing
| S 2.176 | (Z) | Selection of a suitable Internet service provider |
Implementation
| S 2.175 | (A) | Setting up a web server |
| S 4.64 | (C) | Verification of data before transmission / elimination of residual information |
| S 4.94 | (A) | Protection of the web server files |
| S 4.95 | (A) | Minimal operating system |
| S 4.96 | (Z) | Deactivating DNS |
| S 4.98 | (A) | Restricting communication to a minimum with packet filters |
| S 4.360 | (B) | Secure configuration of a web server |
| S 5.161 | (W) | Creating dynamic websites |
Operation
| S 2.174 | (A) | Secure operation of a web server |
| S 2.273 | (A) | Prompt installation of security-relevant patches and updates |
| S 4.33 | (A) | Use of a virus scanning program on exchange of data media and during data transfer |
| S 4.78 | (A) | Careful modifications of configurations |
| S 4.177 | (B) | Assuring the integrity and authenticity of software packages |
| S 5.59 | (A) | Protection against DNS spoofing in authentication mechanisms |
Contingency Planning
| S 6.88 | (B) | Creation of a business continuity plan for the web server |