Web Server Administration
Download
Report
Transcript Web Server Administration
Web Server Administration
TEC 236
Securing the Web Environment
Overview
Identify threats and vulnerabilities
Secure data transmission
Secure the operating system
Secure server applications
Overview
Authenticate Web users
Use a firewall
Use a proxy server
Use intrusion detection software
Identifying Threats and
Vulnerabilities
Focus is on threats from the Internet
Hackers sometimes want the challenge of
penetrating a system and vandalizing it –
other times they are after data
Data can be credit card numbers, user names and
passwords, other personal data
Information can be gathered while it is being
transmitted
Often, operating system flaws can assist the
hacker
Vulnerabilities in Operating
Systems
Operating systems are large and complex
which means that there are more
opportunities for attack
Although Windows has had its share of
problems, often inattentive administrators
often fail to implement patches when
available
Some attacks, such as buffer overruns, can
allow the attacker to take over the computer
Securing the Operating
System
Use the server for only necessary tasks
Minimize user accounts
Disable services that are not needed
Make sure that you have a secure password
In addition to using upper case, lower case
numbers and symbols, hold down the ALT key on
a number (on the numeric keypad) from 1 to 255
Check a table of ALT values to avoid common
characters
The use of the ALT key will thwart most hackers
Securing Windows
There are many services that are not needed in
Windows for most Internet-based server applications
Alerter
Computer browser
DHCP client
DNS client
Messenger
Server
Workstation
Also, the registry can be used to alter the
configuration to make it more secure such as
disabling short file names
Vulnerabilities of E-mail
Servers
By design, e-mail servers are open
E-mail servers can be harmed by a series of
very large e-mail messages
Sending an overwhelming number of
messages at the same time can prevent valid
users from accessing the server
Viruses can be sent to e-mail users
Retrieving e-mail over the Internet often
involves sending your user name and
password as clear text
Securing E-mail
Exchange 2000 can also use SSL for the
protocols it uses
To prevent someone from sending large
e-mail messages until the disk is full,
set a size limit for each mailbox
Securing Data Transmission
To secure data on a network that is
accessible to others, you need to
encrypt the data
SSL is the most common method of
encrypting data between a browser and
Web server
Secure Shell (SSH) is a secure
replacement for Telnet
Secure Sockets Layer (SSL)
A digital certificate issued by a certification
authority (CA) identifies an organization
The public key infrastructure (PKI) defines
the system of CAs and certificates
Public key cryptography depends on two keys
A public key is shared with everyone
The public key can be used to encrypt data
Only the owner of the public key has the
corresponding private key which is needed to
decrypt the data
Establishing an SSL
Connection
Vulnerabilities in Web servers
Static HTML pages pose virtually no
problem
Programming environments and
databases add complexity that a hacker
can exploit
Programmers often do not have time to
focus on security
Securing the Web Server
Enable the minimum features
If you don't need a programming
language, do not enable it
Make sure programmers understand
security issues
Implement SSL where appropriate
Securing the Web ServerIIS
The URLScan utility blocks potentially harmful page
requests
The IIS Lockdown utility has templates to ensure that
you only enable what you need
Change NTFS permissions in \inetpub\wwwroot from
Everyone Full Control to Everyone Execute
In IIS 5, delete \samples \IISHelp and \MSADC
folders
Delete extensions you do not use, such as .htr, .idc,
.stm, and others
Authenticating Web Users
Both Apache and IIS use HTTP to
enable authentication
HTTP tries to access a protected directory
and fails
Then it requests authentication from the
user in a dialog box
Accesses directory with user information
Used in conjunction with SSL
Configuring User
Authentication in IIS
Four types of authenticated access
Windows integrated authentication
Digest authentication for Windows domain servers
Works with proxy servers
Requires Active Directory and IE
Basic authentication
Most secure – requires IE
User name and password in clear text
Works with IE, Netscape, and others
Passport authentication
Centralized form of authentication
Only available on Windows Server 2003
Using a Firewall
A firewall implements a security policy
between networks
Our focus is between the Internet and an
organization's network
You need to limit access, especially
from the Internet to your internal
computers
Restrict access to Web servers, e-mail
servers, and other related servers
Types of Filtering
Packet filtering
Circuit-level filtering (stateful or dynamic filtering)
Looks at each individual packet
Based on rules, it determines whether to let it pass through
the firewall
Controls complete communication session, not just individual
packets
Allows traffic initialized from within the organization to
return, yet restricts traffic initialized from outside
Application-level
Instead of transferring packets, it sets up a separate
connection to totally isolate applications such as Web and email
A Packet-filtering Firewall
Consists of a list of acceptance and denial
rules
A firewall independently filters what comes in
and what goes out
It is best to start with a default policy that
denies all traffic, in and out
We can reject or drop a failed packet
Drop – (best) thrown away without response
Reject – ICMP message sent in response
Using a Proxy Server
A proxy server delivers content on behalf of a user or
server application
Proxy servers need to understand the protocol of the
application that they proxy such as HTTP or FTP
Forward proxy servers isolate users from the Internet
Users contact proxy server which gets Web page
Reverse proxy servers isolate Web server
environment from the Internet
When a Web page is requested from the Internet, the proxy
server retrieves the page from the internal server
Using Intrusion Detection
Software
Intrusion detection is designed to show
you that your defenses have been
penetrated
With Microsoft ISA Server, it only
detects specific types of intrusion
In Linux, Tripwire tracks changes to files
Tripwire
Tripwire allows you to set policies that allow
you to monitor any changes to the files on
the system
Tripwire can detect file additions, file
deletions, and changes to existing files
By understanding the changes to the files,
you can determine which ones are
unauthorized and then try to find out the
cause of the change
Tripwire
After installing Tripwire, you configure the
policy file to determine which files to monitor
A default list of files is included but it will take
time to refine the list
A report can be produced to find out which
files have been added, changed, and deleted
Usually, it runs automatically at night
Intrusion Detection in ISA
Server
The following intrusions are tracked
Windows out-of-band (WinNuke)–A specific type of Denial-of-
Service attack
Land–A spoofed packet is sent with the SYN flag set so that the source
address is the same as the destination address, which is the address of
the server. The server can then try to connect to itself and crash.
Ping of death –The server receives ICMP packets that include large
files attachments, which can cause a server to crash.
IP half scan –If a remote computer attempts to connect to a port by
sending a packet with the SYN flag set and the port is not available,
the RST flag is set on the return packet. When the remote computer
does not respond to the RST flag, this is called an IP half scan. In
normal situations, the TCP connection is closed with a packet
containing a FIN flag.
UDP bomb –A UDP packet with an illegal configuration.
Port scan –You determine the threshold for the number of ports that
are scanned (checked) before an alert is issued.
Summary
Every computer connected to the Internet
represents a potential target for attack
Hackers can gather data and modify systems
SSL can secure data transmission
Keep each server to a single purpose such as
Web server or e-mail
Keep applications and services to a minimum
Summary
User authentication controls access to one or
more Web server directories
Firewalls control access policies between
networks
A proxy server delivers content on behalf of a
user or server application
Intrusion detection software identifies
intrusions but typically does not prevent them