Guidelines on Securing Public Web Servers

The host can be configured to better suit the requirements of the particular service.  

Different services might require different hardware and software configurations, 

which could lead to unnecessary vulnerabilities or service restrictions. 

By reducing services, the number of logs and log entries is reduced; therefore 

detecting unexpected behavior becomes easier. 

When configuring the operating system, apply the principle  disable everything except that 

which is expressly permitted    that is, disable or, preferably, remove all services and 

applications and then selectively enable those required by the Web server.  If possible, install 

the minimal operating system configuration that is required for the Web server application.  If 

the operating system installation system provides a  minimal installation  option, choose that 

because it will minimize the effort required to remove unnecessary services.  Many uninstall 

scripts or programs do not completely remove all components of service; therefore, it is always 

better to avoid installing unnecessary services when possible.    

The services enabled on a Web server will depend on the functions the organization wants the 

server to provide.  Those services might include database protocols to access a database, file 

transfer protocols, and remote administration services.  Each of these services, even though 

they may be required, comes with an increased risk to the server.  Whether the risks outweigh 

the benefits is a decision each organization must make for itself. 

4.1.3  Configuring Operating System User Authentication 

For Web servers, authorized users who can configure the system and initiate Web services are 

typically a small number of designated Web administrators and Webmasters.  However, the 

users who can access the public Web server may range from unrestricted to restricted subsets 

of the Internet community.  To enforce policy restrictions, if required, the Web administrator 

must configure the system to authenticate prospective users by requiring proof that each person 

is authorized for such access.  Even though a Web server may allow unauthenticated access to 

most Web services, administrative and other types of specialized access should be limited to 

specific individuals and groups. 

Configuring the computer for authentication usually involves configuring parts of the 

operating system, firmware, and applications on the server, such as the software that 

implements a network service.  In special cases, for high value/high risk sites, organizations 

may also use authentication hardware, such as tokens or one time password devices.  Use of 

authentication mechanisms where authentication information is reusable (e.g., passwords) and 

transmitted in the clear over a network is strongly discouraged, because the information can be 

intercepted and used by an attacker to masquerade as an authorized user (see Section 7). 

To ensure the appropriate user authentication is in place, take the following steps [CERT00]: 

Remove or disable unneeded default accounts and groups

.  The default 

configuration of the operating system often includes guest accounts (with and without 

passwords), administrator or root level accounts, and accounts associated with local 

and network services.  The names and passwords for those accounts are well known.  

Remove or disable unnecessary accounts to eliminate their use by intruders, including 

guest accounts on computers containing sensitive information.  If there is no 

requirement to retain a guest account or group, severely restrict its access and change 

the password in accordance with the organizational password policy.   

22