1. Installing and Configuring a Secure Web Server COEN 351 David Papay

2. Objectives Background Planning for security Physical and network security OS/web server installation and hardening Application server installation and hardening Maintenance and operations

3. Requirements Need to bring a new external web server online to host our Internet web site (www.gd-ais.com) Windows 2000, IIS 5.0, ColdFusion (application server) No sensitive information, no “store front” or other web apps to protect. Want protection from: Defacement Use as a jumping-off point to the rest of our network. Serve as an example for future secure web server installations

4. Planning Security concerns should be identified and planned for from the very beginning. It is much harder and more error-prone to “add security later.” Reference: Develop a computer deployment plan that includes security issues. http://www.cert.org/security-improvement/practices/p065.html

5. Planning Examples of things to consider: Purpose(s) of the server Security requirements Internet service(s) needed (e.g., http, ftp) Categories of users, their privileges, and how they will be authenticated. Patching, backup, and virus detection procedures

6. Physical Security and Network Environment Server is in a physically secure location Consequences of this decision Firewall and DMZ configuration Consider an application layer firewall Network-based IDS Reference: Guidelines on Securing Public Web Servers, chapter 8. http://cs-www.ncsl.nist.gov/publications/nistpubs/800- 44/sp800-44.pdf

7. Windows and IIS Installation Install only necessary Windows and IIS components. Install all patches and updates. Run HotFix Checker, MBSA. Document and baseline current configuration. Note that W2k3 has alleviated the need for some of this. References: Microsoft documentation, TechNet, Knowledge Base articles.

8. Windows and IIS Hardening This definitely consumed the most time (in terms of research, implementation, and testing). Just because Windows and IIS have been minimally installed, updated, and patched, it does not mean your server and site are secure!

9. Windows and IIS Hardening Examples of Windows hardening: Remove/disable unneeded default accounts and groups. Rename necessary predefined accounts. Least privilege for accounts and group. Change default security settings on the file system Windows Security Policies (e.g., strong passwords, account lockout, logging, auditing, user rights, unneeded services)

10. Windows and IIS Hardening Examples of IIS hardening: Separate partitions for OS, web content, and log files. Enable detailed logging. Run IIS Lockdown Wizard, URLScan Remove examples, documentation, and unneeded physical/virtual directories. Remove server-identifying characteristics (e.g., http response headers, default error pages)

11. Windows and IIS Hardening Test to make sure you haven’t broken anything (e.g., anonymous web access, ability to update web content, indexing/searching web content). Document and baseline current configuration.

12. Windows and IIS Hardening References/Resources: Microsoft documentation, Knowledge Base articles, TechNet NIST Computer Security Resource Center (CSRC) http://csrs.nist.gov/http://csrs.nist.gov/ NSA Security Configuration Guides http://www.nsa.gov/snac/ http://www.nsa.gov/snac/ CERT: http://www.cert.orghttp://www.cert.org US-CERT: http://www.us-cert.gov/http://www.us-cert.gov/

13. ColdFusion installation and hardening (This applies to any third-party application server server) Research the product and its vulnerabilities Be aware of what the installer is doing Install latest updates and patches Protect against unknown vulnerabilities by following good security practices (e.g., least privilege, remove/disable unnecessary features, change default values) Test, document, and baseline!

14. Maintenance and operations Regularly install patches and updates Virus scanning Backups Log file analysis From firewall(s), IDS, web server, and application server A good log file filtering and analysis tool is essential.