Guidelines on Securing Public Web Servers

For default accounts that need to be retained, change the names (where possible 

particularly for administrator or root level accounts) and passwords to be consistent 

with the organizational password policy.  Default account names and passwords are 

commonly known to malicious entities.   

Disable noninteractive accounts

.  Disable accounts (and the associated passwords) 

that need to exist but do not require an interactive login.  For Unix systems, disable the 

login shell, or provide a login shell with NULL functionality (/bin/false). 

Create the user groups

.  Assign users to the appropriate groups.  Then assign rights 

to the groups.  This approach is preferable to assigning rights to individual users. 

Create the user accounts

.  Identify who will be authorized to use each computer and 

its services.  Create only the necessary accounts.  Discourage or prohibit the use of 

shared accounts. 

Check the organization's password policy

.  Set account passwords appropriately. 

This policy should address the following: 

Length

   a minimum length for passwords.   

Complexity

   the mix of characters required.  Require passwords to contain both 

uppercase and lowercase letters and at least one nonalphabetic character.  

Aging

   how long a password may remain unchanged.  Require users to change 

their passwords periodically.  Administrator or root level password should be 

changed every 30 to 120 days.  User password should also be changed 

periodically with period of time determined by the enforced length and 

complexity of the password combined with the sensitivity of the information 

protected.   

Reuse

   whether a password may be reused.  Some users try to defeat a 

password aging requirement by changing the password to one they have used 

before.  If possible, ensure that the user cannot change the password by simply 

appending or  prepending  characters to their original password (e.g., original 

password was  mysecret  and is changed to  1mysecret  or  mysecret1 .   

Authority

   who is allowed to change or reset passwords and what sort of proof 

is required before initiating any changes.   

Configure computers to deny login after a small number of failed attempts

.  It is 

relatively easy for an unauthorized user to try to gain access to a computer by using 

automated software tools that attempt all passwords.  If the operating system provides 

the capability, configure it to deny login after three failed attempts.  Typically, the 

account is  locked out  for a period of time (such as 30 minutes) or until a user with 

appropriate authority reactivates it. 

This is another situation that requires the Web administrator to make a decision that balances 

security and convenience.  Implementing this recommendation can help prevent some kinds 

of attacks, but it can also allow a malicious intruder to make failed login attempts to prevent 

user access, a DoS condition.  

23