Guidelines on Securing Public Web Servers

application is also often based on a hardened and/or modified generally available Web server 

application (e.g., Apache or IIS).  These packages often include a greater number of security 

options and are designed to be easier to configure through the use of precompiled scripts and 

graphical user interfaces (GUIs).  Although each of these packages is different, they usually 

rely on one or more of the following to provide a higher level of protection and security: 

Secure initial default configuration 

Hardened operating system and/or TOS 

Hardened Web server software 

Extensive auditing capabilities 

Application wrappers 

Network wrappers and/or host based firewall capabilities 

Host based intrusion detection systems 

Simplified security administration (e.g., menus, GUIs). 

These types of systems should be considered by organizations that face a significant threat 

level and/or have high value Web sites (e.g., major Federal government organizations, banks, 

health insurance companies).  These packages are available from some major hardware and 

software vendors in addition to a variety specialized vendors.   

Some items to consider when contemplating the purchase of a hardened Web appliance: 

What is the underlying operating system and how has it fared in security testing?   

How has the Web server application itself fared in security testing?   

How difficult is it to administer? 

Is the hardened Web server application and operating system compatible with the 

organization's existing Web applications and scripts? 

19