Guidelines on Securing Public Web Servers

2.1  General Information System Security Principles 

When addressing Web server security issues it is an excellent idea to keep some general 

information security principles in mind [Curt01 and Salt75]: 

Simplicity

   Security mechanisms (and the information systems in general) should be 

as simple as possible.  Complexity is at the root of many security issues. 

Fail Safe

   If a failure occurs, the system should fail in a secure manner.  That is if a 

failure occurs, security should still be enforced.  It is better to lose functionality rather 

than losing security.   

Complete Mediation   

Rather than providing direct access to information, mediators 

that enforce access policy should be employed.  Common examples include file 

system permissions, web proxies, firewalls, and mail gateways. 

Open Design   

System security should not depend on the secrecy of the 

implementation or its components.   Security through obscurity  is not reliable.   

Separation of Privilege   

Functions, to the degree possible, should be separate and 

provide as much granularity as possible.  The concept can apply to both systems and 

operators/users.  In the case of systems, such functions such as read, edit, write, and 

execute should be separate.  In the case of system operators and users, roles should be 

as separate as possible.  For example if resources allow, the role of system 

administrator should be separate from that of the security administrator.   

Least Privilege

   This principle dictates that each task, process, or user is granted the 

minimum rights required to perform its job.  By applying this principle consistently, 

should a task, process, or user be compromised, the scope of damage is constrained to 

the limited resources available to the compromised entity.  

Psychological Acceptability   

Users should understand the necessity of security.  

This can be provided through training and education.  In addition, the security 

mechanisms in place should present users with sensible options that give them the 

usability they require on a daily basis.  If users find the security mechanisms too 

cumbersome, they may devise ways to work around or compromise them.  For 

example, randomly generated passwords are strong but users weaken their security by 

writing down difficult to remember randomly generated passwords.  The objective is 

not to weaken security so it is understandable and acceptable, but to train, educate, and 

design security mechanisms and polices that are usable and effective. 

Least Common Mechanism   

When providing a feature to the system, it is best to 

have a process or service gain some function without granting the same function to 

other parts of the system.  The ability for the Web server process to access a back end 

database, for instance, should not also enable other applications on the system to 

access the back end database.   

Defense in Depth   

Organizations should understand that a single security 

mechanism would generally prove insufficient.  Security mechanisms (defenses) need 

to be layered so that compromise of a single security mechanism is insufficient to 

7