S 2.174 Secure operation of a web server
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
Web servers are attractive targets for attackers and therefore must be configured very carefully in order to ensure secure operation. Operating system and software must be configured in such a way that the computer is protected against attacks in the best possible way. If the computer is not configured accordingly, it must not be connected to the network.
When configuring the web server application, some basic aspects should be taken into consideration regardless of which web server application is used. How these are configured in detail depends on the web server application.
There are usually options that can be used to specify whether the content of the corresponding directory should be listed or certain files should be returned instead (for example index.html) in the event of an HTTP query regarding a directory (i.e. not specifying a specific file name). This should be configured in the following manner:
- if there is an index file, this index file is returned
- if not, a corresponding error message is returned.
If it is possible to specify that programs or CGI scripts can only be executed in certain directories, a very restrictive setting must be used for this option. Under no circumstances should it be possible to execute programs anywhere in the web area. It is recommended to create a separate directory for programs and scripts and only allow them to be executed in this directory, if this is possible.
It is often possible to specify whether files or directories that "appeared" in the web file tree using a symbolic link (Unix) or a shortcut (Windows) should be displayed. This should be disabled, if possible, since it is easier to access files not actually intended for publication in this manner.
It is recommendable to execute a checklist such as the following in order to guarantee secure operations.
Checklist:
- Are only the components needed installed?
- Is the web server application configured as restrictively as possible? For example, CGI programs should either be blocked completely or the CGI programs should be restricted to a separate directory. File access for the web server process should be restricted to a certain section of the file tree. Separate, non-privileged user IDs should be used for the administration and operation of the server.
- Have all unneeded CGI programs, asp sites, and other demo applications and websites been deleted?
- Is access restricted to only those ports absolutely needed (see also S 4.97 One service per server)? On a web server, the HTTP service is usually accessed using port 80. If administration of the server or maintenance of the web server files is performed using the network, additional services may be necessary. In this case, though, access to these services must be restricted to the absolute minimum (see also S 4.98 Restricting communication to a minimum with packet filters).
- Has it been ensured that adequate backups of the data will be made regularly (see module S 1.4 Data backup policy)?
- If CGI programs are used, have they been programmed securely enough? No data entered should be accepted without checking the data first. It must be ensured that no buffer overflows and race conditions can occur. The taint check should be enabled in all Perl scripts.
- Is there a properly functioning procedure in place for regular integrity checks (e.g. Tripwire, see S 4.93 Regular integrity checking)?
- Is the configuration checked regularly? Are changes to the configuration documented?
Example: Setting up a simple web server
A server where the content of individual web pages only changes rarely, no CGI programs are used, and there is no special access protection are considered a simple web server. The individual web documents are installed on the web server from a data medium. On such a server, all system files as well as all HTML sites can be write-protected. An attacker may be able to change temporary files and log entries on such a server, but will not be able to make changes to the system. Such access protection should be implemented using a data medium possessing a physical write-protection mechanism, for example one or more CD-ROMs or a write-protected removable disk. However, regular integrity checks should be performed at a minimum (see S 4.93 Regular integrity checking).
All unneeded functionality of the http daemon should be disabled, for example the option enabling the execution of CGI scripts. In any case, the CGI programs provided with the system should be removed.
One frequently encountered version of a simple web server allows the documents on the web server to be changed interactively by users with the corresponding authorisations. In this case, protection against unauthorised changes and frequent, regular integrity checks are particularly important.
Review questions:
- Have the operating system and the software been configured in such a way that the computer is protected against attacks in the best possible way?
- Are directories retrievable files are stored to located on a separate partition of a hard disk?
- In the event of HTTP queries regarding a directory: Is an error message generated if no index file is present and is the index file displayed otherwise?
- If it is possible to define the execution locations of programs or CGI scripts: Is it only possible to execute the programs or CGI scripts in the designated directories?
- Is it impossible to show links (Unix) or shortcuts (Windows) in the web file tree?