Web Server Security Guidelines
This document contains the following sections:
- Applies to
- Purpose of the Guideline
- Definition / Clarification
- Guideline Statement
- User Responsibilities and Procedures
- Revision History
Web servers are often the target of numerous exploit attempts. When improperly secured they introduce a significant risk to the networked computing environment at Carnegie Mellon. Furthermore, Web servers at Carnegie Mellon are often administered by individuals who have minimal experience with Web server administration. This group has indicated the need for some basic steps to follow to secure a Web server.
These guidelines apply to all individuals responsible for Web server administration at Carnegie Mellon.
Purpose of the GuidelineThe purpose of this guideline is to ensure that basic security safeguards are utilized. Failure to adhere to simple best practices when administering a Web server can result in security incidents.
Definition/ClarificationLeast Privilege: The principle of least privilege requires that a user be given no more privilege than necessary to perform a job.
SSL/TLS: Secure Sockets Layer and Transport Layer Security are protocols that provide server and client authentication and encryption of communications.
Guideline StatementComputing Services requests that Web administrators adhere to steps outlined in this guideline in an effort to reduce the success of various exploit attempts and to protect against the simplest vulnerabilities inherent to Web servers.
The majority of the content within this guideline was derived from NIST SP 800-95 Guide to Secure Web Services.
User Responsibilities and Procedures
- Patch and/or upgrade operating system on routine basis. May also need to be done as needed if critical exploit exist provided patch and/or workaround is available.
- Administrators need to monitor appropriate mailing lists and/or web sites for security-related announcements. Often, this means subscribing to the appropriate “announce” mailing list for any network-accessible software that has been installed.
- Configure the operating system to meet system best practices. This includes but is not limited to the following:
- Enable necessary services and applications; Disable all others.
- Create user accounts following the principle of least-privilege
- Set all account passwords appropriately to meet Carnegie Mellon password guidelines
- Remove or disable unneeded default accounts
- Change any default passwords as installed by application software to meet Carnegie Mellon password guidelines
- Configure Web server to meet recommended vendor best practices.
- Install the Web server software on a dedicated host
- Enable necessary web services; Disable all others.
- Apply any patches or upgrades for known vulnerabilities
- Web servers should be configured to prohibit access to files that may not be intended for public consumption. In particular, do not make arbitrary directories in AFS publicly available. For additional considerations refer to relevant privacy regulations such as FERPA.
- Create log files for future investigations and/or recovery purposes.
- Establish different log file names for various virtual Web sites that are part of the same single physical Web server
- Ensure mechanisms are in place to prevent log files from filling up the hard drive
- Ensure the log files capture failed login attempts, account privilege changes and/or other potentially suspect activities
- Separate Web server content and related subdirectories from operating system and application directories.
- Perform regular backups of Web content and occasional backups of operating system and application configurations.
- Employ Web authentication and encryption technologies such as SSL/TLS based upon the nature of Web server data (e.g. sensitive, private, confidential…).
- Establish internal change control methodology that includes but is not limited to the following:
- Notification of change (includes description, contact person, date, and time of change etc.) to all people potentially impacted by the change, an outage, and/or other items related to the change (ex: Computing Services Help Center so they may address any calls that may come in as a result of the change)
- Test change(s) on a test system if available before making the change in the production environment
- Backup relevant information and information being affected by the change prior to implementing the change
- Document all changes being made to the system, application, or web content and establish revision control mechanisms