Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Published byCamilla James Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2."— Presentation transcript:

1 Module 4: Securing the Web Server 1

2 Overview Securing IIS Securing Apache 2

3 3 Securing IIS

4 Securing IIS Servers Installation Authentication Permissions and Authorization Web Applications Protect the Metabase Monitoring and Logging Utilities Miscellaneous Web sites, products, training

5 Installation Only install necessary components Do not have server connected to Ethernet during the installation Apply all service packs and hot fixes Remove printer and file support Disable unnecessary services and subsystems Delete sample files Delete or move sample scripts Remove Internet Explorer Security Templates Remove any resource kits or SDKs that were installed Secure dangerous executables

6 Securing IIS Servers

7 Authentication Anonymous access Use of SSL

8 Permissions & Authorization NTFS permissions for website content volumes Set initial NTFS permissions settings on the root of the volume Administrators : Full control (Apply onto: This folder, sub folders, and files) System: Full control (Apply onto: This folder, subfolder sand files) Check the box on the Permissions tab to “Reset permissions on all child objects and enable propagation of inheritable permissions”

9 Best Practices for Website Folders Physical folder structure /root – starting point of the website -Home page /scr – stores scripts -Don’t call it “scripts” as this is a tip -off for hackers /exe – executables -Don’t call it “bin” or “cgi-bin” as this is a tip-off for hackers; may not even want to call it “exe” images – graphics -Reduces clutter in other folders and can be removed from logging

10 ISAPI Filters vs. ISAPI Extensions Filters are DLLs which register “hooks” with IIS so that they will be invoked when certain internal IIS events occur. Event triggers pass control of a request or response to an ISAPI filter DLL (Example: SSL encryptions) Extensions are DLLs or programs which are associated with files of a certain filename extensions so that when a browser makes a request to such a file, the program is automatically executed. Typically script engines or command interpreters

11 lISAPI Filters Four default filters SSPIFILT.DLL – implements SSL encryption for all websites using HTTPS COMPFILT.DLL – implements HTTP compressions of requested files using GZIP and DEFLATE protocols MD5FILT.DLL – used with Digest authentication FPEXEDLL.DLL – provides compatibility with FrontPage

12 Protect the Metabase The “metabase” is IIS’s configuration database (like the system registry) Location is determined by a registry value which can be modified (not recommended unless you’re paranoid!) Hive: HKEY_LOCAL_MACHINE Key: \Software\Microsoft\InetMgr\Parameters Value Name: MetadataFile Value Type: REG_SZ Value Data: Move the HTTP/FTP root folders off the %systemroot% volume Secure the registry key which determines the metabaselocation Audit all failed access to the metabasefile Set NTFS permissions on the metabasefile to the following: Administrators: Full Control System: Full Control

13 Monitoring and Logging Use performance monitor Log monitor output to a data file Determine an appropriate period of time for monitoring activity Get a baseline set of statistics

14 What to Monitor? Active Server Pages Errors/Sec Request Not Authorized Disk Logical Disk\% of Free Space] IP Datagrams Received Header Errors Datagrams Received Unknown Protocol Fragment Re-Assembly Failures

15 Event Viewer Logs NTFS File Access Audit Audit all the different types of failed access for the entire file system Audit successful actions for Everyone for: -Create Files / Write Data -Create Folder / Append Data -Delete Subfolders and Files -Delete -Change Permissions -Take Ownership

16 IIS Protocol Logging Enable logging at the website Disable logging for each folder/file you don’t want to log Set the location for the log files Secure the log files using NTFS permissions

17 Utilities Resource Kit METAEDIT.EXE – IIS configuration tool PLAYBACK.EXE –Records incoming traffic on an IIS 5.0 server then allows it to be played back on another server Stress test utility IIS Permissions Wizard Template Maker

18 Miscellaneous Throttling IIS -Limit connections -Set connection timeouts Administration Website (HTMLA) -Secure the site with SSL, authentication, IP address restrictions

19 Unused Services Follow a defense-in-depth approach to securing SQL Server Apply service packs and patches -Use MBSA to detect missing SQL updates Disable unused services -MSSQLSERVER -SQLSERVERAGENT -MSSQLServerADHelper -Microsoft Search -Microsoft DTC

20 Patching

21 SQL Server Authentication Best Practices

22 IIS Lockdown Tool The IIS Lockdown Tool turns off unnecessary features to reduce the attack surface of IIS 4.0, IIS 5.0, and IIS 5.1 To provide defense-in-depth, the Lockdown Tool integrates URLScan, which includes customized templates for each supported server role IIS 6.0 is installed with Security Settings configured in previous versions of IIS Lockdown, therefore no IIS Lockdown for IIS 6.0

23 Top 10 Actions to Secure IIS Harden the operating system and apply all relevant security updates Remove unnecessary components Configure URLScan Place content on a separate NTFS partition Protect files by using minimal permissions Require encryption for sensitive Web traffic Do not enable both the Execute and Write permissions on the same Web site Run applications using Medium or High application protection Use LPA for App Pool Account Use IPSec filtering to allow only required traffic (HTTP and HTTPS) to the Web server

24 IIS 6.0 Application Pools

25 Demonstration : Securing IIS 6.0

26 Unused Services The IIS Lockdown Tools provides the option to disable unused IIS-related services; however, you should manually disable other unused services The following services must be running for IIS to run properly : Event Log License Logging Service Windows NTLM Security Support Provider Remote Procedure Call (RPC) Service Windows NT Server or Windows NT Workstation IIS Admin Service MSDTC World Wide Web Publishing Service Protected Storage

27 The final patch

28 This means less for hackers to attack, less to patch and less to manage. Score one for IIS.

29 Once IIS is installed, this modularization continues and role services can easily be added or removed.

30 Disable Unused Services

31 31 Securing Apache

32 Secure the Operating System Offer no network services except HTTP (80/tcp) and HTTPS (443/tcp) to the Internet Access to and from the Internet controlled by a firewall Apache web server must be the only service running on the machine Only necessary Apache modules to be loaded Diagnostic web pages and automatic directory listings turned off 32

33 Minimize the amount of security disclosure Run the Apache process under a unique UID Limit the Apache process by chrooting/sandboxing Ensure no shell programs are in the chroot environment 33

34 Build Apache with only the modules required: Http_core Mod_access Mod_auth Mod_dir Mod_log_config Mod_mime Do not install: mod_autoindex and mod_info Compiled statically, which also removes the need for mod_so 34

35 10 things you should do to secure Apache Update Use the right user:group Turn off unwanted services Disable unused modules Restrict access Limit request size Employ mod_security Do not allow browsing outside the document root Hide Apache’s version number Immunize httpd.conf

36 Unused Services Directory browsing-This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”. Server side Includes-This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”. CGI execution-Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”. Symbolic links-Set this inside a (surprise, surprise) directory tag with “- FollowSymLinks”. None-You can turn off all options (in the same way you set the above) using “None” with the Option directive.

37 Patching A "Patch" is the set of differences between two versions of the same file. A patch comprises one or more "diff" files. These diffs are produced by the program of the same name: diff.

38 Steps to manually apply the FrontPage Apache patch to a new Apache server Before compiling and installing the Apache patch, you must install the FrontPage Server Extensions. When the setup script untars the FrontPage Server Extensions, it also untars the FrontPage Apache patch source file Fp-patch-apache_1.3.x. If you run Fp_install.sh, let it untar the Fp40.platform.tar.Z without installing a root Web or sub/per user Webs, or virtual Webs. Copy the Fp-patch-apache_1.3.x into your Apache server build directory (usually /usr/local/Apache_1.3.x). The Fp-patch-apache_1.3.x file is found in/usr/local/frontpage/version4.0/apache-fp/fp-patch-apache_1.3.x. Using the GNU version of the patch utility, run the patch command on the FrontPage 2000 Apache patch source file: patch -p0 <fp-patch- apache_1.3.x Create the makefile for the patched server. For a server that uses 1.3.0 or later directory structure:./configure --add-module=mod_frontpage.c For a server that uses 1.2.x, directory structure:./configure --add- module=mod_frontpage.c --compat

39 Steps to manually apply the FrontPage Apache patch to a new Apache server You can append --prefix=/usr/local/apache to get your install directories the way you want them. For instance, for a install directory of /usr/local/apache:./configure --add-module=mod_frontpage.c -- prefix=/usr/local/apache Build the Apache server: make Install the server: make Install After installing the server, you will need to run the Change_server.sh. This file was untarred when you ran the Fp_install.sh script. The Change_server.sh resides in /usr/local/frontpage/version4.0. When you run the Change_server.sh, you will be prompted whether or not to replace the httpd daemon. You can install the Server Extensions using Fp_install making sure when prompted to install to Apache-fp when asked which server you are using.

40 Apache and MySQL configurations, patching services and cluster

41 41 Securing some other web server

42 Patching Patching and updating your server software is a critical first step towards securing your Web server. Services are prime vulnerability points for attackers. If your service software is not secure, but you need the service, try to find a secure alternative. Accounts grant authenticated access to your computer, and these accounts must be audited. Secure all files and directories with restricted NTFS permissions that only allow access to necessary Windows services and user accounts. Remove all unnecessary file shares including the default administration shares if they are not required. Audit the ports on your server regularly to ensure that an insecure or unnecessary service is not active on your Web server. 42

43 43

Download ppt "Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2."

Similar presentations

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in Windows Server 2003.

Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 8: Implementing and Managing Printers.

Similar presentations

Ads by Google