Guidelines on Securing Public Web Servers

Patch and upgrade the Web server application 

Remove or disable unnecessary services, applications, and sample content 

Configure Web server user authentication 

Configure Web server resource controls 

Test the security of the Web server application and Web content. 

Organizations should take steps to ensure that only appropriate content is published on 

Web site and that content is adequately protected from unauthorized alteration.   

Many agencies lack a Web publishing process or policy that determines what type of 

information to publish openly, what information to publish with restricted access, and what 

information should not be published to any publicly accessible repository.  This is unfortunate 

because Web sites are often one of the first places that malicious entities search for valuable 

information.  Some generally accepted examples of what should not be published or at least 

should be carefully examined and reviewed before publication on a public Web site include: 

Classified or proprietary information 

Information on the composition or preparation of hazardous materials or toxins

2

Sensitive information relating to homeland security

2

An organization's detailed physical and information security safeguards 

Details about an organization's network and information system infrastructure (e.g., 

address ranges, naming conventions, access numbers) 

Information that specifies or implies physical security vulnerabilities 

Detailed plans, maps, diagrams, aerial photographs, and architectural drawings of 

organizational buildings, properties, or installations. 

Organizations should ensure appropriate steps are taken to protect Web content from 

unauthorized access or modification.   

While information on public web sites is content that is intended to be public, assuming a 

credible review process and policy is in place, it is still important to ensure that information 

cannot be modified without authorization.  Users of this information rely upon the integrity of 

such information even if the information is not confidential.   Because of the public 

accessibility, content on publicly accessible Web servers is inherently more vulnerable than 

information that is inaccessible from the Internet.  This means that organizations need to 

protect public Web content through the appropriate configuration of Web server resource 

controls.  Some examples of appropriate resource control practices include: 

2

 For more guidance on protecting this type of information see the White Memorandum Dated March 19, 2000, 

Action to Safeguard Information Regarding Weapons of Mass Destruction and Other Sensitive Documents Related to 

Homeland Security

 (

http://www.usdoj.gov/oip/foiapost/2002foiapost10.htm

).   

ES 4