SlideShare uma empresa Scribd logo

Web Server Hardening

n|u - The Open Security Community
n|u - The Open Security Community

Web Server Hardening by Supraja Shankaran @ null Pune Meet, September 2011

Tecnologia
1 de 31
Baixar para ler offline
Web Server Hardening Supraja Shankar Symbiosis Institute Of Computer Studeies And Research
Web server ● It’s a client – server architecture ● The function of a web server is to service requests made through HTTP protocol.
Main threats to a web server • Profiling • Denial of service • Unauthorized access • Arbitrary code execution • Elevation of privileges • Viruses, worms, and Trojan horses Source: http://msdn.microsoft.com/en-us/library/ff648653.aspx
Apache
An overview ● Apache runs under multitasking operating system. ● httpd for unix and apache.exe for Win ● Usually runs in background ● Originally named from A PAtCHy in 1991 ● Open source under Apache License
Structure Source: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
Core structure Source: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
Securing Apache
Securing apache ● mod_auth ● For authorizing content ● AuthUserFilefile-path tells the file where username and password saved. ● Passwd can be set by htpasswd command ● mod_access ● Limits access ● Can be whole set of IP’s or narrow down to ports ● Deny/ Allow/ Order
Hardening Remove default apache files sudorm –fr /opt/apache2/htdocs/* ~>sudorm –fr /opt/apache2/cgi-bin/* ~>sudorm –fr /opt/apache2/icons Hide the apache version number ServerSignature Off ServerTokensProd Chroot
Hardening From Source ●userdir – Mapping of requests to user-specific directories. i.e username in URL will get translated to a directory in the server ●autoindex – Displays directory listing when no index.html file is present ●status – Displays server stats ●env – Clearing/setting of ENV vars ●setenvif – Placing ENV vars on headers ●cgi – CGI scripts ●actions – Action triggering on requests ●negotiation – Content negotiation ●alias – Mapping of requests to different filesystem parts ●include – Server Side Includes ●filter – Smart filtering of request ●version – Handling version information in config files using IfVersion ●as-is – as-is filetypes
IIS
What is IIS? ♦ IIS (Internet Information Server) is a group of Internet servers (including a Web or Hypertext Transfer Protocol server and a File Transfer Protocol server) with additional capabilities for Microsoft's Windows NT and Windows 2000 Server operating systems. ♦ IIS is Microsoft's entry to compete in the Internet server market that is also addressed by Apache, Sun Microsystems, O'Reilly, and others. ♦ With IIS, Microsoft includes a set of programs for building and administering Web sites, a search engine, and support for writing Web-based applications that access databases. ♦ Microsoft points out that IIS is tightly integrated with the Windows NT and 2000 Servers in a number of ways, resulting in faster Web page serving.
TOPOLOGY Source: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24016818.html
FEATURES ◙ HTTP modules ◙ Security modules ◙ Content modules ◙ Compression modules ◙ Caching modules ◙ Logging and Diagnostics modules
Vulnerabilities Microsoft has been criticized for IIS's susceptibility to computer virus attacks such as Code Red and Nimda.  According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
Securing IIS
Hardening Domains
GENERAL • Do not connect an IIS Server to the Internet until it is fully hardened. • Place the server in a physically secure location. • Do not install the IIS server on a domain controller. • Do not install a printer. • Use two network interfaces in the server — one for admin and one for the network. • Install service packs, patches and hot fixes. • Run IISLockdown run on the server. • Install and configure URLScan. • Secure remote administration of the server and configure for encryption, - low session time-outs - account lockouts. • Disable unnecessary Windows services. • Ensure services are running with least-privileged accounts. Continued….
GENERAL (contd..) • Disable FTP, SMTP and NNTP services if they are not required. • Disable Telnet service. • Disable ASP.NET state service if not used by your applications. • Disable webDAV if not used by the application, or secure it if it is required. • Do not install Data Access Components unless specifically needed. • Do not install the HTML version of the Internet Services Manager. • Do not install the MS Index Server unless required. • Do not install the MS FrontPage Server extensions unless required. • Harden TCP/IP stack. • Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445). • Reconfigure Recycle Bin and Page file system data policies. • Secure CMOS settings. • Secure physical media (floppy drive, CD-ROM drive and so on).
ACCOUNTS • Remove unused accounts from the server. • Disable Windows Guest account. • Rename Administrator account and set a strong password. • Disable IUSR_MACHINE account if it is not used by the application. • Create a custom least-privileged anonymous account if applications require anonymous access. • Do not give the anonymous account write access to Web content directories or allow it to execute command-line tools. • If you host multiple Web applications, configure a separate anonymous user account for each one. Continued….
ACCOUNTS (contd..) Configure ASP.NET process account for least privilege. (This • only applies if you are not using the default ASP.NET account, which is a least-privileged account.) • Enforce strong account and password policies for the server. • Restrict remote logons. (The "Access this computer from the network" user-right is removed from the Everyone group.) • Do not share accounts among administrators. • Disable Null sessions (anonymous logons). • Require approval for account delegation. • Do not allow users and administrators to share accounts. • Do not create more than two accounts in the Administrators group. • Require administrators to log on locally or secure the remote administration solution.
FILES AND DIRECTORIES • Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders. • Contain files and directories on NTFS volumes. • Put Web site content on a non-system NTFS volume. • Create a new site and disable the default site. • Put log files on a non-system NTFS volume but not on the same volume where the Web site content resides. • Restrict the Everyone group (no access to WINNTsystem32 or Web directories). • Ensure Web site root directory has deny write ACE for anonymous Internet accounts. • Ensure content directories have deny write ACE for anonymous Internet accounts.
FILES AND DIRECTORIES (Contd..) Remove remote IIS administration application • (WINNTSystem32InetsrvIISAdmin). • Remove resource kit tools, utilities and SDKs. • Remove sample applications (WINNTHelpIISHelp, InetpubIISSamples). • Remove IP address in header for Content-Location. SHARES • Remove all unnecessary shares (including default administration shares). • Restrict access to required shares (the Everyone group does not have access). • Remove Administrative shares (C$ and Admin$) if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
PORTS • Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used). • Encrypt Intranet traffic (for example, with SSL), or restrict Internet traffic if you do not have a secure data center infrastructure. REGISTRY • Restrict remote registry access. • Secure SAM (HKLMSystemCurrentControlSetControlLSANoLMHas h). This applies only to standalone servers.
AUDITING AND LOGGING • Audit failed logon attempts. • Relocate and secure IIS log files. • Configure log files with an appropriate file size depending on the application security requirement. • Regularly archive and analyze log files. • Audit access to the Metabase.bin file. • Configure IIS for W3C Extended log file format auditing. • Read How to use SQL Server to analyze Web logs at support.microsoft.com
SITES AND VIRTUAL DIRECTORIES • Put Web sites on a non-system partition. • Disable "Parent paths" setting. • Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts. • Remove or secure MSADC virtual directory (RDS). • Do not grant included directories Read Web permission. • Restrict Write and Execute Web permissions for anonymous accounts in virtual directories. • Ensure there is script source access only on folders that support content authoring. • Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). • Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. • Remove the IIS Internet Printing virtual directory.
SCRIPT MAPPING • Map extensions not used by the application to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). • Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config. ISAPI FILTERS • Remove from the server unnecessary or unused ISAPI filters. IIS METABASE • Restrict access to the metabase by using NTFS permissions (%systemroot%system32inetsrvmetabase.bin). • Restrict IIS banner information (Disable IP address in content location).
SERVER CERTIFICATES • Ensure certificate date ranges are valid. • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). • Ensure the certificate's public key is valid, all the way to a trusted root authority. • Confirm that the certificate has not been revoked. Machine.config • Map protected resources to HttpForbiddenHandler. • Remove unused HttpModules. • Disable tracing. <trace enable="false"/> • Turn off debug compiles. <compilation debug="false" explicit="true" defaultLanguage="vb">
references localhost/manual http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://security.stackexchange.com/questions/77/apache-server-hardening http://www.linuxquestions.org/questions/linux-software-2/how-apache-works-with-php-mysql-whatever-85685/ http://docstore.mik.ua/orelly/linux/apache/ch01_01.htm http://www.devshed.com/c/a/Apache/Apache-and-the-Internet/1/ http://www.symantec.com/connect/articles/securing-apache-step-step http://www.devdaily.com/unix/edu/UnixSysAdmin/node169.shtml http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://www.opensourcevarsity.com/phpbasics/l4bindingphptoapache http://searchsecurity.techtarget.com/feature/Windows-IIS-server-hardening-checklist http://en.wikipedia.org/wiki/Internet_Information_Services http://searchwindowsserver.techtarget.com/definition/IIS http://www.microsoft.com/web/platform/server.aspx http://www.faqs.org/docs/apache-compile/php.html http://dan.drydog.com/apache2php.html
“Security is a not a product, but a process.” - Bruce Scheiner THANK YOU

Recomendados

Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Protection and security
Protection and securityProtection and security
Protection and securitymbadhi
 

Recomendados

Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Protection and security
Protection and securityProtection and security
Protection and securitymbadhi
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Misp(malware information sharing platform)
Misp(malware information sharing platform)Misp(malware information sharing platform)
Misp(malware information sharing platform)Nadim Kadiwala
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 

Mais conteúdo relacionado

Mais procurados

Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Misp(malware information sharing platform)
Misp(malware information sharing platform)Misp(malware information sharing platform)
Misp(malware information sharing platform)Nadim Kadiwala
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 

Mais procurados (20)

Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
NMAP
NMAPNMAP
NMAP
 
Misp(malware information sharing platform)
Misp(malware information sharing platform)Misp(malware information sharing platform)
Misp(malware information sharing platform)
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Metasploit
MetasploitMetasploit
Metasploit
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 

Destaque

Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycleGopakumar Kunduveetil
 
Telecommunication system
Telecommunication systemTelecommunication system
Telecommunication systemJamilah Abbas
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedPort80 Software
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST AssuredBas Dijkstra
 
Web Cookies
Web CookiesWeb Cookies
Web Cookiesapwebco
 
Apache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya KulkarniApache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya Kulkarniwebhostingguy
 
세션 하이재킹
세션 하이재킹세션 하이재킹
세션 하이재킹Yu Yongwoo
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Ted Kulp
 

Destaque (20)

Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by Aswin
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelines
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycle
 
Telecommunication system
Telecommunication systemTelecommunication system
Telecommunication system
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting Started
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST Assured
 
Web Cookies
Web CookiesWeb Cookies
Web Cookies
 
Apache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya KulkarniApache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya Kulkarni
 
세션 하이재킹
세션 하이재킹세션 하이재킹
세션 하이재킹
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Smarty sharing-2
Smarty sharing-2Smarty sharing-2
Smarty sharing-2
 
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101
 
Cmsms, open source & business model
Cmsms, open source & business modelCmsms, open source & business model
Cmsms, open source & business model
 
Cookie and session
Cookie and sessionCookie and session
Cookie and session
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Mvc architecture
Mvc architectureMvc architecture
Mvc architecture
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 

Semelhante a Web Server Hardening

be the captain of your connections deployment
be the captain of your connections deploymentbe the captain of your connections deployment
be the captain of your connections deploymentSharon James
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IISsanya6900
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IISsanya6900
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
06.m3 cms set-upwebserver
06.m3 cms set-upwebserver06.m3 cms set-upwebserver
06.m3 cms set-upwebservertarensi
 
Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01arunparmar
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 20161049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016panagenda
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesScott Hoag
 
Installation & configuration
Installation & configurationInstallation & configuration
Installation & configurationSyAM Software
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodologylaeshin park
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Web server architecture
Web server architectureWeb server architecture
Web server architectureTewodros K
 
Locking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverLocking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverHitachi ID Systems, Inc.
 
Soccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM ConnectionsSoccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM Connectionspanagenda
 

Semelhante a Web Server Hardening (20)

be the captain of your connections deployment
be the captain of your connections deploymentbe the captain of your connections deployment
be the captain of your connections deployment
 
Add a web server
Add a web serverAdd a web server
Add a web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
06.m3 cms set-upwebserver
06.m3 cms set-upwebserver06.m3 cms set-upwebserver
06.m3 cms set-upwebserver
 
Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 20161049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst Practices
 
Installation & configuration
Installation & configurationInstallation & configuration
Installation & configuration
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Web server architecture
Web server architectureWeb server architecture
Web server architecture
 
Locking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverLocking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite server
 
Soccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM ConnectionsSoccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM Connections
 

Mais de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mais de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 

Último

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Web Server Hardening

  • 1. Web Server Hardening Supraja Shankar Symbiosis Institute Of Computer Studeies And Research
  • 2. Web server ● It’s a client – server architecture ● The function of a web server is to service requests made through HTTP protocol.
  • 3. Main threats to a web server • Profiling • Denial of service • Unauthorized access • Arbitrary code execution • Elevation of privileges • Viruses, worms, and Trojan horses Source: http://msdn.microsoft.com/en-us/library/ff648653.aspx
  • 5. An overview ● Apache runs under multitasking operating system. ● httpd for unix and apache.exe for Win ● Usually runs in background ● Originally named from A PAtCHy in 1991 ● Open source under Apache License
  • 9. Securing apache ● mod_auth ● For authorizing content ● AuthUserFilefile-path tells the file where username and password saved. ● Passwd can be set by htpasswd command ● mod_access ● Limits access ● Can be whole set of IP’s or narrow down to ports ● Deny/ Allow/ Order
  • 10. Hardening Remove default apache files sudorm –fr /opt/apache2/htdocs/* ~>sudorm –fr /opt/apache2/cgi-bin/* ~>sudorm –fr /opt/apache2/icons Hide the apache version number ServerSignature Off ServerTokensProd Chroot
  • 11. Hardening From Source ●userdir – Mapping of requests to user-specific directories. i.e username in URL will get translated to a directory in the server ●autoindex – Displays directory listing when no index.html file is present ●status – Displays server stats ●env – Clearing/setting of ENV vars ●setenvif – Placing ENV vars on headers ●cgi – CGI scripts ●actions – Action triggering on requests ●negotiation – Content negotiation ●alias – Mapping of requests to different filesystem parts ●include – Server Side Includes ●filter – Smart filtering of request ●version – Handling version information in config files using IfVersion ●as-is – as-is filetypes
  • 12. IIS
  • 13. What is IIS? ♦ IIS (Internet Information Server) is a group of Internet servers (including a Web or Hypertext Transfer Protocol server and a File Transfer Protocol server) with additional capabilities for Microsoft's Windows NT and Windows 2000 Server operating systems. ♦ IIS is Microsoft's entry to compete in the Internet server market that is also addressed by Apache, Sun Microsystems, O'Reilly, and others. ♦ With IIS, Microsoft includes a set of programs for building and administering Web sites, a search engine, and support for writing Web-based applications that access databases. ♦ Microsoft points out that IIS is tightly integrated with the Windows NT and 2000 Servers in a number of ways, resulting in faster Web page serving.
  • 15. FEATURES ◙ HTTP modules ◙ Security modules ◙ Content modules ◙ Compression modules ◙ Caching modules ◙ Logging and Diagnostics modules
  • 16. Vulnerabilities Microsoft has been criticized for IIS's susceptibility to computer virus attacks such as Code Red and Nimda.  According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
  • 19. GENERAL • Do not connect an IIS Server to the Internet until it is fully hardened. • Place the server in a physically secure location. • Do not install the IIS server on a domain controller. • Do not install a printer. • Use two network interfaces in the server — one for admin and one for the network. • Install service packs, patches and hot fixes. • Run IISLockdown run on the server. • Install and configure URLScan. • Secure remote administration of the server and configure for encryption, - low session time-outs - account lockouts. • Disable unnecessary Windows services. • Ensure services are running with least-privileged accounts. Continued….
  • 20. GENERAL (contd..) • Disable FTP, SMTP and NNTP services if they are not required. • Disable Telnet service. • Disable ASP.NET state service if not used by your applications. • Disable webDAV if not used by the application, or secure it if it is required. • Do not install Data Access Components unless specifically needed. • Do not install the HTML version of the Internet Services Manager. • Do not install the MS Index Server unless required. • Do not install the MS FrontPage Server extensions unless required. • Harden TCP/IP stack. • Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445). • Reconfigure Recycle Bin and Page file system data policies. • Secure CMOS settings. • Secure physical media (floppy drive, CD-ROM drive and so on).
  • 21. ACCOUNTS • Remove unused accounts from the server. • Disable Windows Guest account. • Rename Administrator account and set a strong password. • Disable IUSR_MACHINE account if it is not used by the application. • Create a custom least-privileged anonymous account if applications require anonymous access. • Do not give the anonymous account write access to Web content directories or allow it to execute command-line tools. • If you host multiple Web applications, configure a separate anonymous user account for each one. Continued….
  • 22. ACCOUNTS (contd..) Configure ASP.NET process account for least privilege. (This • only applies if you are not using the default ASP.NET account, which is a least-privileged account.) • Enforce strong account and password policies for the server. • Restrict remote logons. (The "Access this computer from the network" user-right is removed from the Everyone group.) • Do not share accounts among administrators. • Disable Null sessions (anonymous logons). • Require approval for account delegation. • Do not allow users and administrators to share accounts. • Do not create more than two accounts in the Administrators group. • Require administrators to log on locally or secure the remote administration solution.
  • 23. FILES AND DIRECTORIES • Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders. • Contain files and directories on NTFS volumes. • Put Web site content on a non-system NTFS volume. • Create a new site and disable the default site. • Put log files on a non-system NTFS volume but not on the same volume where the Web site content resides. • Restrict the Everyone group (no access to WINNTsystem32 or Web directories). • Ensure Web site root directory has deny write ACE for anonymous Internet accounts. • Ensure content directories have deny write ACE for anonymous Internet accounts.
  • 24. FILES AND DIRECTORIES (Contd..) Remove remote IIS administration application • (WINNTSystem32InetsrvIISAdmin). • Remove resource kit tools, utilities and SDKs. • Remove sample applications (WINNTHelpIISHelp, InetpubIISSamples). • Remove IP address in header for Content-Location. SHARES • Remove all unnecessary shares (including default administration shares). • Restrict access to required shares (the Everyone group does not have access). • Remove Administrative shares (C$ and Admin$) if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
  • 25. PORTS • Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used). • Encrypt Intranet traffic (for example, with SSL), or restrict Internet traffic if you do not have a secure data center infrastructure. REGISTRY • Restrict remote registry access. • Secure SAM (HKLMSystemCurrentControlSetControlLSANoLMHas h). This applies only to standalone servers.
  • 26. AUDITING AND LOGGING • Audit failed logon attempts. • Relocate and secure IIS log files. • Configure log files with an appropriate file size depending on the application security requirement. • Regularly archive and analyze log files. • Audit access to the Metabase.bin file. • Configure IIS for W3C Extended log file format auditing. • Read How to use SQL Server to analyze Web logs at support.microsoft.com
  • 27. SITES AND VIRTUAL DIRECTORIES • Put Web sites on a non-system partition. • Disable "Parent paths" setting. • Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts. • Remove or secure MSADC virtual directory (RDS). • Do not grant included directories Read Web permission. • Restrict Write and Execute Web permissions for anonymous accounts in virtual directories. • Ensure there is script source access only on folders that support content authoring. • Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). • Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. • Remove the IIS Internet Printing virtual directory.
  • 28. SCRIPT MAPPING • Map extensions not used by the application to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). • Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config. ISAPI FILTERS • Remove from the server unnecessary or unused ISAPI filters. IIS METABASE • Restrict access to the metabase by using NTFS permissions (%systemroot%system32inetsrvmetabase.bin). • Restrict IIS banner information (Disable IP address in content location).
  • 29. SERVER CERTIFICATES • Ensure certificate date ranges are valid. • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). • Ensure the certificate's public key is valid, all the way to a trusted root authority. • Confirm that the certificate has not been revoked. Machine.config • Map protected resources to HttpForbiddenHandler. • Remove unused HttpModules. • Disable tracing. <trace enable="false"/> • Turn off debug compiles. <compilation debug="false" explicit="true" defaultLanguage="vb">
  • 30. references localhost/manual http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://security.stackexchange.com/questions/77/apache-server-hardening http://www.linuxquestions.org/questions/linux-software-2/how-apache-works-with-php-mysql-whatever-85685/ http://docstore.mik.ua/orelly/linux/apache/ch01_01.htm http://www.devshed.com/c/a/Apache/Apache-and-the-Internet/1/ http://www.symantec.com/connect/articles/securing-apache-step-step http://www.devdaily.com/unix/edu/UnixSysAdmin/node169.shtml http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://www.opensourcevarsity.com/phpbasics/l4bindingphptoapache http://searchsecurity.techtarget.com/feature/Windows-IIS-server-hardening-checklist http://en.wikipedia.org/wiki/Internet_Information_Services http://searchwindowsserver.techtarget.com/definition/IIS http://www.microsoft.com/web/platform/server.aspx http://www.faqs.org/docs/apache-compile/php.html http://dan.drydog.com/apache2php.html
  • 31. “Security is a not a product, but a process.” - Bruce Scheiner THANK YOU