Week 7:�Web Server - Hardening Basics�

SEC 260

Web Server Security and CIA

• Remember the goals of information security:

​

• Confidentiality

​

• Integrity

​

• Availability

CIA

• Based on what we have covered so far – what web technologies apply to CIA?

Confidentiality: Hardening Topics

Web traffic in transit?

• HTTPS

​

Authentication

• Protect resources by requiring authentication
• Protect authentication credentials using secure technologies

​

Least Privilege

• Only allow users to access the resources they need
• Prevent exposing unnecessary information about the server/application itself

​

Confidentiality: Hardening Topics (cont…)

File System Protections

• Set appropriate permissions on web content, scripts, and configuration files
• Prevent “file inclusion” vulnerabilities

​

Data Store Protections

• Prevent unauthorized access methods to databases and other backend data stores (e.g. prevent SQL injection)

​

Server-Side Script Protections

• Prevent script execution when not needed

Integrity: Hardening Topics

Ensuring data doesn’t change:

• Using certificates and digital signatures
• Preventing Man-in-the-Middle

​

Prevent File System Changes

• Monitor file-system for unauthorized changes (integrity monitoring)
• Read-only permissions to web content whenever possible

​

Server-Side Script Protections

• Prevent script execution when not needed

​

Availability: Hardening Topics

Configuration Settings:

• Protect server/service from resource exhaustion (connection limits, timeouts)

​

Unload unneeded modules/services

• Simplify the configuration to the minimal required resources
• Reduced complexity can improve reliability of server/service

Other Hardening Topics

Updates!

• OS as well as web server and backend applications

​

Security-Specific Technologies

• Security modules for web server (mod_security for Apache)
• OS protection tools (e.g. SELinux)
• Intrusion Prevention systems
• Denial-of-Service Protections
• Web-Application Firewall

​