SlideShare a Scribd company logo

Web Server Hardening

n|u - The Open Security Community
n|u - The Open Security Community

Web Server Hardening by Supraja Shankaran @ null Pune Meet, September 2011

Technology
1 of 31
Download to read offline
Web Server Hardening Supraja Shankar Symbiosis Institute Of Computer Studeies And Research
Web server ● It’s a client – server architecture ● The function of a web server is to service requests made through HTTP protocol.
Main threats to a web server • Profiling • Denial of service • Unauthorized access • Arbitrary code execution • Elevation of privileges • Viruses, worms, and Trojan horses Source: http://msdn.microsoft.com/en-us/library/ff648653.aspx
Apache
An overview ● Apache runs under multitasking operating system. ● httpd for unix and apache.exe for Win ● Usually runs in background ● Originally named from A PAtCHy in 1991 ● Open source under Apache License
Structure Source: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
Core structure Source: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
Securing Apache
Securing apache ● mod_auth ● For authorizing content ● AuthUserFilefile-path tells the file where username and password saved. ● Passwd can be set by htpasswd command ● mod_access ● Limits access ● Can be whole set of IP’s or narrow down to ports ● Deny/ Allow/ Order
Hardening Remove default apache files sudorm –fr /opt/apache2/htdocs/* ~>sudorm –fr /opt/apache2/cgi-bin/* ~>sudorm –fr /opt/apache2/icons Hide the apache version number ServerSignature Off ServerTokensProd Chroot
Hardening From Source ●userdir – Mapping of requests to user-specific directories. i.e username in URL will get translated to a directory in the server ●autoindex – Displays directory listing when no index.html file is present ●status – Displays server stats ●env – Clearing/setting of ENV vars ●setenvif – Placing ENV vars on headers ●cgi – CGI scripts ●actions – Action triggering on requests ●negotiation – Content negotiation ●alias – Mapping of requests to different filesystem parts ●include – Server Side Includes ●filter – Smart filtering of request ●version – Handling version information in config files using IfVersion ●as-is – as-is filetypes
IIS
What is IIS? ♦ IIS (Internet Information Server) is a group of Internet servers (including a Web or Hypertext Transfer Protocol server and a File Transfer Protocol server) with additional capabilities for Microsoft's Windows NT and Windows 2000 Server operating systems. ♦ IIS is Microsoft's entry to compete in the Internet server market that is also addressed by Apache, Sun Microsystems, O'Reilly, and others. ♦ With IIS, Microsoft includes a set of programs for building and administering Web sites, a search engine, and support for writing Web-based applications that access databases. ♦ Microsoft points out that IIS is tightly integrated with the Windows NT and 2000 Servers in a number of ways, resulting in faster Web page serving.
TOPOLOGY Source: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24016818.html
FEATURES ◙ HTTP modules ◙ Security modules ◙ Content modules ◙ Compression modules ◙ Caching modules ◙ Logging and Diagnostics modules
Vulnerabilities Microsoft has been criticized for IIS's susceptibility to computer virus attacks such as Code Red and Nimda.  According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
Securing IIS
Hardening Domains
GENERAL • Do not connect an IIS Server to the Internet until it is fully hardened. • Place the server in a physically secure location. • Do not install the IIS server on a domain controller. • Do not install a printer. • Use two network interfaces in the server — one for admin and one for the network. • Install service packs, patches and hot fixes. • Run IISLockdown run on the server. • Install and configure URLScan. • Secure remote administration of the server and configure for encryption, - low session time-outs - account lockouts. • Disable unnecessary Windows services. • Ensure services are running with least-privileged accounts. Continued….
GENERAL (contd..) • Disable FTP, SMTP and NNTP services if they are not required. • Disable Telnet service. • Disable ASP.NET state service if not used by your applications. • Disable webDAV if not used by the application, or secure it if it is required. • Do not install Data Access Components unless specifically needed. • Do not install the HTML version of the Internet Services Manager. • Do not install the MS Index Server unless required. • Do not install the MS FrontPage Server extensions unless required. • Harden TCP/IP stack. • Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445). • Reconfigure Recycle Bin and Page file system data policies. • Secure CMOS settings. • Secure physical media (floppy drive, CD-ROM drive and so on).
ACCOUNTS • Remove unused accounts from the server. • Disable Windows Guest account. • Rename Administrator account and set a strong password. • Disable IUSR_MACHINE account if it is not used by the application. • Create a custom least-privileged anonymous account if applications require anonymous access. • Do not give the anonymous account write access to Web content directories or allow it to execute command-line tools. • If you host multiple Web applications, configure a separate anonymous user account for each one. Continued….
ACCOUNTS (contd..) Configure ASP.NET process account for least privilege. (This • only applies if you are not using the default ASP.NET account, which is a least-privileged account.) • Enforce strong account and password policies for the server. • Restrict remote logons. (The "Access this computer from the network" user-right is removed from the Everyone group.) • Do not share accounts among administrators. • Disable Null sessions (anonymous logons). • Require approval for account delegation. • Do not allow users and administrators to share accounts. • Do not create more than two accounts in the Administrators group. • Require administrators to log on locally or secure the remote administration solution.
FILES AND DIRECTORIES • Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders. • Contain files and directories on NTFS volumes. • Put Web site content on a non-system NTFS volume. • Create a new site and disable the default site. • Put log files on a non-system NTFS volume but not on the same volume where the Web site content resides. • Restrict the Everyone group (no access to WINNTsystem32 or Web directories). • Ensure Web site root directory has deny write ACE for anonymous Internet accounts. • Ensure content directories have deny write ACE for anonymous Internet accounts.
FILES AND DIRECTORIES (Contd..) Remove remote IIS administration application • (WINNTSystem32InetsrvIISAdmin). • Remove resource kit tools, utilities and SDKs. • Remove sample applications (WINNTHelpIISHelp, InetpubIISSamples). • Remove IP address in header for Content-Location. SHARES • Remove all unnecessary shares (including default administration shares). • Restrict access to required shares (the Everyone group does not have access). • Remove Administrative shares (C$ and Admin$) if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
PORTS • Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used). • Encrypt Intranet traffic (for example, with SSL), or restrict Internet traffic if you do not have a secure data center infrastructure. REGISTRY • Restrict remote registry access. • Secure SAM (HKLMSystemCurrentControlSetControlLSANoLMHas h). This applies only to standalone servers.
AUDITING AND LOGGING • Audit failed logon attempts. • Relocate and secure IIS log files. • Configure log files with an appropriate file size depending on the application security requirement. • Regularly archive and analyze log files. • Audit access to the Metabase.bin file. • Configure IIS for W3C Extended log file format auditing. • Read How to use SQL Server to analyze Web logs at support.microsoft.com
SITES AND VIRTUAL DIRECTORIES • Put Web sites on a non-system partition. • Disable "Parent paths" setting. • Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts. • Remove or secure MSADC virtual directory (RDS). • Do not grant included directories Read Web permission. • Restrict Write and Execute Web permissions for anonymous accounts in virtual directories. • Ensure there is script source access only on folders that support content authoring. • Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). • Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. • Remove the IIS Internet Printing virtual directory.
SCRIPT MAPPING • Map extensions not used by the application to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). • Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config. ISAPI FILTERS • Remove from the server unnecessary or unused ISAPI filters. IIS METABASE • Restrict access to the metabase by using NTFS permissions (%systemroot%system32inetsrvmetabase.bin). • Restrict IIS banner information (Disable IP address in content location).
SERVER CERTIFICATES • Ensure certificate date ranges are valid. • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). • Ensure the certificate's public key is valid, all the way to a trusted root authority. • Confirm that the certificate has not been revoked. Machine.config • Map protected resources to HttpForbiddenHandler. • Remove unused HttpModules. • Disable tracing. <trace enable="false"/> • Turn off debug compiles. <compilation debug="false" explicit="true" defaultLanguage="vb">
references localhost/manual http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://security.stackexchange.com/questions/77/apache-server-hardening http://www.linuxquestions.org/questions/linux-software-2/how-apache-works-with-php-mysql-whatever-85685/ http://docstore.mik.ua/orelly/linux/apache/ch01_01.htm http://www.devshed.com/c/a/Apache/Apache-and-the-Internet/1/ http://www.symantec.com/connect/articles/securing-apache-step-step http://www.devdaily.com/unix/edu/UnixSysAdmin/node169.shtml http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://www.opensourcevarsity.com/phpbasics/l4bindingphptoapache http://searchsecurity.techtarget.com/feature/Windows-IIS-server-hardening-checklist http://en.wikipedia.org/wiki/Internet_Information_Services http://searchwindowsserver.techtarget.com/definition/IIS http://www.microsoft.com/web/platform/server.aspx http://www.faqs.org/docs/apache-compile/php.html http://dan.drydog.com/apache2php.html
“Security is a not a product, but a process.” - Bruce Scheiner THANK YOU

Recommended

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force AttackAhmad karawash
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 

Recommended

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force AttackAhmad karawash
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Network attacks
Network attacksNetwork attacks
Network attacksManjushree Mashal
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityBharath Rao
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomwarejeetendra mandal
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End UsersCommunity IT Innovators
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingVishesh Singhal
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 

More Related Content

What's hot

1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityBharath Rao
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 

What's hot (20)

1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Network attacks
Network attacksNetwork attacks
Network attacks
 
Application Security
Application SecurityApplication Security
Application Security
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomware
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 

Viewers also liked

Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycleGopakumar Kunduveetil
 
Telecommunication system
Telecommunication systemTelecommunication system
Telecommunication systemJamilah Abbas
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedPort80 Software
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST AssuredBas Dijkstra
 
Web Cookies
Web CookiesWeb Cookies
Web Cookiesapwebco
 
Apache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya KulkarniApache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya Kulkarniwebhostingguy
 
세션 하이재킹
세션 하이재킹세션 하이재킹
세션 하이재킹Yu Yongwoo
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Ted Kulp
 

Viewers also liked (20)

Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by Aswin
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelines
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycle
 
Telecommunication system
Telecommunication systemTelecommunication system
Telecommunication system
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting Started
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST Assured
 
Web Cookies
Web CookiesWeb Cookies
Web Cookies
 
Apache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya KulkarniApache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya Kulkarni
 
세션 하이재킹
세션 하이재킹세션 하이재킹
세션 하이재킹
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Smarty sharing-2
Smarty sharing-2Smarty sharing-2
Smarty sharing-2
 
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101
 
Cmsms, open source & business model
Cmsms, open source & business modelCmsms, open source & business model
Cmsms, open source & business model
 
Cookie and session
Cookie and sessionCookie and session
Cookie and session
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Mvc architecture
Mvc architectureMvc architecture
Mvc architecture
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 

Similar to Web Server Hardening

be the captain of your connections deployment
be the captain of your connections deploymentbe the captain of your connections deployment
be the captain of your connections deploymentSharon James
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IISsanya6900
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IISsanya6900
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
06.m3 cms set-upwebserver
06.m3 cms set-upwebserver06.m3 cms set-upwebserver
06.m3 cms set-upwebservertarensi
 
Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01arunparmar
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 20161049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016panagenda
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesScott Hoag
 
Installation & configuration
Installation & configurationInstallation & configuration
Installation & configurationSyAM Software
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodologylaeshin park
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Web server architecture
Web server architectureWeb server architecture
Web server architectureTewodros K
 
Locking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverLocking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverHitachi ID Systems, Inc.
 
Soccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM ConnectionsSoccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM Connectionspanagenda
 

Similar to Web Server Hardening (20)

be the captain of your connections deployment
be the captain of your connections deploymentbe the captain of your connections deployment
be the captain of your connections deployment
 
Add a web server
Add a web serverAdd a web server
Add a web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
06.m3 cms set-upwebserver
06.m3 cms set-upwebserver06.m3 cms set-upwebserver
06.m3 cms set-upwebserver
 
Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 20161049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst Practices
 
Installation & configuration
Installation & configurationInstallation & configuration
Installation & configuration
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Web server architecture
Web server architectureWeb server architecture
Web server architecture
 
Locking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverLocking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite server
 
Soccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM ConnectionsSoccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM Connections
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Web Server Hardening

  • 1. Web Server Hardening Supraja Shankar Symbiosis Institute Of Computer Studeies And Research
  • 2. Web server ● It’s a client – server architecture ● The function of a web server is to service requests made through HTTP protocol.
  • 3. Main threats to a web server • Profiling • Denial of service • Unauthorized access • Arbitrary code execution • Elevation of privileges • Viruses, worms, and Trojan horses Source: http://msdn.microsoft.com/en-us/library/ff648653.aspx
  • 5. An overview ● Apache runs under multitasking operating system. ● httpd for unix and apache.exe for Win ● Usually runs in background ● Originally named from A PAtCHy in 1991 ● Open source under Apache License
  • 9. Securing apache ● mod_auth ● For authorizing content ● AuthUserFilefile-path tells the file where username and password saved. ● Passwd can be set by htpasswd command ● mod_access ● Limits access ● Can be whole set of IP’s or narrow down to ports ● Deny/ Allow/ Order
  • 10. Hardening Remove default apache files sudorm –fr /opt/apache2/htdocs/* ~>sudorm –fr /opt/apache2/cgi-bin/* ~>sudorm –fr /opt/apache2/icons Hide the apache version number ServerSignature Off ServerTokensProd Chroot
  • 11. Hardening From Source ●userdir – Mapping of requests to user-specific directories. i.e username in URL will get translated to a directory in the server ●autoindex – Displays directory listing when no index.html file is present ●status – Displays server stats ●env – Clearing/setting of ENV vars ●setenvif – Placing ENV vars on headers ●cgi – CGI scripts ●actions – Action triggering on requests ●negotiation – Content negotiation ●alias – Mapping of requests to different filesystem parts ●include – Server Side Includes ●filter – Smart filtering of request ●version – Handling version information in config files using IfVersion ●as-is – as-is filetypes
  • 12. IIS
  • 13. What is IIS? ♦ IIS (Internet Information Server) is a group of Internet servers (including a Web or Hypertext Transfer Protocol server and a File Transfer Protocol server) with additional capabilities for Microsoft's Windows NT and Windows 2000 Server operating systems. ♦ IIS is Microsoft's entry to compete in the Internet server market that is also addressed by Apache, Sun Microsystems, O'Reilly, and others. ♦ With IIS, Microsoft includes a set of programs for building and administering Web sites, a search engine, and support for writing Web-based applications that access databases. ♦ Microsoft points out that IIS is tightly integrated with the Windows NT and 2000 Servers in a number of ways, resulting in faster Web page serving.
  • 15. FEATURES ◙ HTTP modules ◙ Security modules ◙ Content modules ◙ Compression modules ◙ Caching modules ◙ Logging and Diagnostics modules
  • 16. Vulnerabilities Microsoft has been criticized for IIS's susceptibility to computer virus attacks such as Code Red and Nimda.  According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
  • 19. GENERAL • Do not connect an IIS Server to the Internet until it is fully hardened. • Place the server in a physically secure location. • Do not install the IIS server on a domain controller. • Do not install a printer. • Use two network interfaces in the server — one for admin and one for the network. • Install service packs, patches and hot fixes. • Run IISLockdown run on the server. • Install and configure URLScan. • Secure remote administration of the server and configure for encryption, - low session time-outs - account lockouts. • Disable unnecessary Windows services. • Ensure services are running with least-privileged accounts. Continued….
  • 20. GENERAL (contd..) • Disable FTP, SMTP and NNTP services if they are not required. • Disable Telnet service. • Disable ASP.NET state service if not used by your applications. • Disable webDAV if not used by the application, or secure it if it is required. • Do not install Data Access Components unless specifically needed. • Do not install the HTML version of the Internet Services Manager. • Do not install the MS Index Server unless required. • Do not install the MS FrontPage Server extensions unless required. • Harden TCP/IP stack. • Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445). • Reconfigure Recycle Bin and Page file system data policies. • Secure CMOS settings. • Secure physical media (floppy drive, CD-ROM drive and so on).
  • 21. ACCOUNTS • Remove unused accounts from the server. • Disable Windows Guest account. • Rename Administrator account and set a strong password. • Disable IUSR_MACHINE account if it is not used by the application. • Create a custom least-privileged anonymous account if applications require anonymous access. • Do not give the anonymous account write access to Web content directories or allow it to execute command-line tools. • If you host multiple Web applications, configure a separate anonymous user account for each one. Continued….
  • 22. ACCOUNTS (contd..) Configure ASP.NET process account for least privilege. (This • only applies if you are not using the default ASP.NET account, which is a least-privileged account.) • Enforce strong account and password policies for the server. • Restrict remote logons. (The "Access this computer from the network" user-right is removed from the Everyone group.) • Do not share accounts among administrators. • Disable Null sessions (anonymous logons). • Require approval for account delegation. • Do not allow users and administrators to share accounts. • Do not create more than two accounts in the Administrators group. • Require administrators to log on locally or secure the remote administration solution.
  • 23. FILES AND DIRECTORIES • Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders. • Contain files and directories on NTFS volumes. • Put Web site content on a non-system NTFS volume. • Create a new site and disable the default site. • Put log files on a non-system NTFS volume but not on the same volume where the Web site content resides. • Restrict the Everyone group (no access to WINNTsystem32 or Web directories). • Ensure Web site root directory has deny write ACE for anonymous Internet accounts. • Ensure content directories have deny write ACE for anonymous Internet accounts.
  • 24. FILES AND DIRECTORIES (Contd..) Remove remote IIS administration application • (WINNTSystem32InetsrvIISAdmin). • Remove resource kit tools, utilities and SDKs. • Remove sample applications (WINNTHelpIISHelp, InetpubIISSamples). • Remove IP address in header for Content-Location. SHARES • Remove all unnecessary shares (including default administration shares). • Restrict access to required shares (the Everyone group does not have access). • Remove Administrative shares (C$ and Admin$) if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
  • 25. PORTS • Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used). • Encrypt Intranet traffic (for example, with SSL), or restrict Internet traffic if you do not have a secure data center infrastructure. REGISTRY • Restrict remote registry access. • Secure SAM (HKLMSystemCurrentControlSetControlLSANoLMHas h). This applies only to standalone servers.
  • 26. AUDITING AND LOGGING • Audit failed logon attempts. • Relocate and secure IIS log files. • Configure log files with an appropriate file size depending on the application security requirement. • Regularly archive and analyze log files. • Audit access to the Metabase.bin file. • Configure IIS for W3C Extended log file format auditing. • Read How to use SQL Server to analyze Web logs at support.microsoft.com
  • 27. SITES AND VIRTUAL DIRECTORIES • Put Web sites on a non-system partition. • Disable "Parent paths" setting. • Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts. • Remove or secure MSADC virtual directory (RDS). • Do not grant included directories Read Web permission. • Restrict Write and Execute Web permissions for anonymous accounts in virtual directories. • Ensure there is script source access only on folders that support content authoring. • Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). • Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. • Remove the IIS Internet Printing virtual directory.
  • 28. SCRIPT MAPPING • Map extensions not used by the application to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). • Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config. ISAPI FILTERS • Remove from the server unnecessary or unused ISAPI filters. IIS METABASE • Restrict access to the metabase by using NTFS permissions (%systemroot%system32inetsrvmetabase.bin). • Restrict IIS banner information (Disable IP address in content location).
  • 29. SERVER CERTIFICATES • Ensure certificate date ranges are valid. • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). • Ensure the certificate's public key is valid, all the way to a trusted root authority. • Confirm that the certificate has not been revoked. Machine.config • Map protected resources to HttpForbiddenHandler. • Remove unused HttpModules. • Disable tracing. <trace enable="false"/> • Turn off debug compiles. <compilation debug="false" explicit="true" defaultLanguage="vb">
  • 30. references localhost/manual http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://security.stackexchange.com/questions/77/apache-server-hardening http://www.linuxquestions.org/questions/linux-software-2/how-apache-works-with-php-mysql-whatever-85685/ http://docstore.mik.ua/orelly/linux/apache/ch01_01.htm http://www.devshed.com/c/a/Apache/Apache-and-the-Internet/1/ http://www.symantec.com/connect/articles/securing-apache-step-step http://www.devdaily.com/unix/edu/UnixSysAdmin/node169.shtml http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://www.opensourcevarsity.com/phpbasics/l4bindingphptoapache http://searchsecurity.techtarget.com/feature/Windows-IIS-server-hardening-checklist http://en.wikipedia.org/wiki/Internet_Information_Services http://searchwindowsserver.techtarget.com/definition/IIS http://www.microsoft.com/web/platform/server.aspx http://www.faqs.org/docs/apache-compile/php.html http://dan.drydog.com/apache2php.html
  • 31. “Security is a not a product, but a process.” - Bruce Scheiner THANK YOU