Guidelines on Securing Public Web Servers

HTTPS

6

Secure Hypertext Transfer Protocol (S HTTP)

7

Remote Authentication Dial In User Service (RADIUS) Protocol 

Open Database Connectivity (ODBC) Protocol 

Network File System (NFS) Protocol

8

Common Internet File System (CIFS) 

Internet Caching Protocol (ICP). 

Identify any network service software, both client and server, to be installed on the 

Web server and any other support servers. 

Identify the users or categories of users of the Web server and any support hosts. 

Determine the privileges that each category of user will have on the Web server and 

support hosts. 

Decide if and how users will be authenticated and how authentication data will be 

protected. 

Determine how appropriate access to information resources will be enforced. 

The choice of Web server application may determine the choice of operating system.  

However, to the degree possible, Web administrators should choose an operating system that 

provides the following [CERT00]: 

Minimal exposure to vulnerabilities (see NIST ICAT vulnerability database 

[

http://icat.nist.gov

] for the known vulnerabilities of specific Web server applications) 

Ability to restrict administrative or root level activities to authorized users only  

Ability to control access to data on the server  

Ability to disable unnecessary network services that may be built into the operating 

system or server software  

Ability to control access to various forms of executable programs, such as Common 

Gateway Interface (CGI) scripts and server plug ins in the case of Web servers  

6

 HTTP transactions protected via the Secure Socket Layer (SSL)/Transport Layer Security (TLS) protocols (see 

Section 7.5). 

7

 A seldom used alternative to HTTPS. 

8

 Not generally recommended unless used exclusively within a protected network environment such as a 

Demilitarized Zone (DMZ) (see Section 8.1.2) for data replication to multiple Web servers. 

10