Installing and Configuring a Secure Web Server COEN 351 David Papay.

Slides:

Advertisements

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Advertisements

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Computer Security: Principles and Practice

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Paula Kiernan Senior Consultant Ward Solutions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

Securing the Borderless Network March 21, 2000 Ted Barlow.

System and Network Security Practices COEN 351 E-Commerce Security.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Chapter 7 HARDENING SERVERS.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Payment Card Industry (PCI) Data Security Standard

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Implementing Exchange Server Security Ward Solutions.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Incident Response Updated 03/20/2015

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Securing Microsoft® Exchange Server 2010

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Module 14: Configuring Server Security Compliance

The Microsoft Baseline Security Analyzer A practical look….

Chapter 6 of the Executive Guide manual Technology.

IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Module 5: Configuring Internet Explorer and Supporting Applications.

Module 6: Designing Security for Network Hosts

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Chapter 2 Securing Network Server and User Workstations.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Module 8 : Configuration II Jong S. Bok

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

NetTech Solutions Protecting the Computer Lesson 10.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.

Module 10: Implementing Administrative Templates and Audit Policy.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Operating System Hardening. Vulnerabilities Unique vulnerabilities for: – Different operating systems – Different vendors – Client and server systems.

Configuring and Deploying Web Applications Lesson 7.

Internet Information Server 6.0 & new management features.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Working at a Small-to-Medium Business or ISP – Chapter 8

Chapter 7: Identifying Advanced Attacks

Chapter 6 Application Hardening

Setting-Up and Securing a Server

Configuring Windows Firewall with Advanced Security

HARDENING CLIENT COMPUTERS

Implementing a Secure ISA Server

Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016

Chapter 27: System Security

Hands-On Ethical Hacking and Network Defense

Web Servers / Deployment

Designing IIS Security (IIS – Internet Information Service)

6. Application Software Security

Presentation transcript:

Installing and Configuring a Secure Web Server COEN 351 David Papay

Objectives Background Planning for security Physical and network security OS/web server installation and hardening Application server installation and hardening Maintenance and operations

Requirements Need to bring a new external web server online to host our Internet web site ( Windows 2000, IIS 5.0, ColdFusion (application server) No sensitive information, no “store front” or other web apps to protect. Want protection from: Defacement Use as a jumping-off point to the rest of our network. Serve as an example for future secure web server installations

Planning Security concerns should be identified and planned for from the very beginning. It is much harder and more error-prone to “add security later.” Reference: Develop a computer deployment plan that includes security issues.

Planning Examples of things to consider: Purpose(s) of the server Security requirements Internet service(s) needed (e.g., http, ftp) Categories of users, their privileges, and how they will be authenticated. Patching, backup, and virus detection procedures

Physical Security and Network Environment Server is in a physically secure location Consequences of this decision Firewall and DMZ configuration Consider an application layer firewall Network-based IDS Reference: Guidelines on Securing Public Web Servers, chapter /sp pdf

Windows and IIS Installation Install only necessary Windows and IIS components. Install all patches and updates. Run HotFix Checker, MBSA. Document and baseline current configuration. Note that W2k3 has alleviated the need for some of this. References: Microsoft documentation, TechNet, Knowledge Base articles.

Windows and IIS Hardening This definitely consumed the most time (in terms of research, implementation, and testing). Just because Windows and IIS have been minimally installed, updated, and patched, it does not mean your server and site are secure!

Windows and IIS Hardening Examples of Windows hardening: Remove/disable unneeded default accounts and groups. Rename necessary predefined accounts. Least privilege for accounts and group. Change default security settings on the file system Windows Security Policies (e.g., strong passwords, account lockout, logging, auditing, user rights, unneeded services)

Windows and IIS Hardening Examples of IIS hardening: Separate partitions for OS, web content, and log files. Enable detailed logging. Run IIS Lockdown Wizard, URLScan Remove examples, documentation, and unneeded physical/virtual directories. Remove server-identifying characteristics (e.g., http response headers, default error pages)

Windows and IIS Hardening Test to make sure you haven’t broken anything (e.g., anonymous web access, ability to update web content, indexing/searching web content). Document and baseline current configuration.

Windows and IIS Hardening References/Resources: Microsoft documentation, Knowledge Base articles, TechNet NIST Computer Security Resource Center (CSRC) NSA Security Configuration Guides CERT: US-CERT:

ColdFusion installation and hardening (This applies to any third-party application server server) Research the product and its vulnerabilities Be aware of what the installer is doing Install latest updates and patches Protect against unknown vulnerabilities by following good security practices (e.g., least privilege, remove/disable unnecessary features, change default values) Test, document, and baseline!

Maintenance and operations Regularly install patches and updates Virus scanning Backups Log file analysis From firewall(s), IDS, web server, and application server A good log file filtering and analysis tool is essential.