Guidelines on Securing Public Web Servers

Completed 

Action 

Ability to deny access to information on the server other than that 

intended to be available 

Ability to disable unnecessary network services that may be built 

into the operating system or server software 

Ability to control access to various forms of executable programs, 

such as Computer Gateway Interface (CGI) scripts and server plug 

ins in the case of Web servers 

Availability of experienced staff to install, configure, secure, and 

maintain operating system 

Patch and upgrade operating system 

Identify and install all necessary patches and upgrades to the 

operating system  

Identify and install all necessary patches and upgrades to 

applications and services included with the operating system  

Remove or disable unnecessary services and applications 

Disable or remove unnecessary services and applications 

Configure the operating system user authentication 

Remove or disable unneeded default accounts and groups 

Disable noninteractive accounts  

Create the user groups for the particular computer 

Create the user accounts for the particular computer 

Check the organization's password policy, and set account 

passwords appropriately (e.g., length, complexity) 

Configure computers to deny login after a small number of failed 

attempts  

Install and configure other security mechanisms to strengthen 

authentication 

Test the security of the operating system 

Test operating system after initial install to determine vulnerabilities 

Test operating system frequently to determine new vulnerabilities  

26