Web Server is a program that serves Web pages to Web browsers using the Hyper Text Transfer Protocol (HTTP). Some of the Web Server software contain middle-tier software that act as an application server. This enables users to perform high-level tasks, such as querying a database and delivering the output through the Web Server to the client browser as an HTML file.
Securing a web server is an important task to ensure that your web server and the applications it hosts are protected against various threats.
In securing a Web Server, administrators should take care of the following:
- Based on security needs, check for presence of specific security-related features on the chosen web server. It may include types of authentication, levels of access control, support for remote administration, and logging features.
- Install only the required features of the Application Servers and remove default features not being used.
- Install the latest version of the web server software along with the latest patches.
- Install web server software in a CHROOT cage.
- Remove all sample files, scripts, manuals and executable code from the web server application root directory.
- Remove all files that are not part of the Web site
- Reconfigure the HTTP Service banner so that Web server and Operating System type & version are not reported.
- Create a new custom least-privileged user and group for the Web Server process, unique from all other users and groups.
- Although the server may have to run as root or administrator initially to bind to port 80, the server should not run in this mode.
- The configuration files of the Web Server should be readable by Web Server process but not writable.
- The server should be configured in a manner so that web content files can be read but not written by Web service processes.
- Consider security implications before selecting programs, scripts, and plug-ins for the web server.
- Various Server Side Active Content Technologies are available viz. Java Servlets, ASP, ColdFusion, etc.. Each has its own strengths and weaknesses along with an associated risk. Thus the technology to be implemented on the Web server has to be chosen after due consideration.
- Third-party free modules available should not be used without proper checking and verification of their functionality and security.
- Configure the Web server to use authentication and encryption technologies (SSL), where required, along with a mechanism to check the latest CRL (certificate revocation list).
It’s also a good idea to perform regular security assessments to identify any vulnerabilities in your web server and take steps to mitigate them.
You may also read:
- Enhancing Security: Controls and the AIC Triad Components
- The Importance of Enterprise Security Architecture
- Enhancing Security with CIS Top 20 Critical Security Controls
- A Comprehensive Overview of ISO/IEC 27000 Series Standards for Information Security Management
- Enhancing Web Application Functionality and Security with Cookie Attributes
- Five Good Habits of a Security-Conscious Developer
- CISSP Security Domains: Building Blocks for Information Security
- Understanding the Categories of Information Security Risks
- Overview of Cloud Secure Data Lifecycle
- Cloud Computing Top Threats: Protecting Your Data in the Cloud