Guidelines on Securing Public Web Servers

5. Securely 

Installing and Configuring the Web Server 

Once the operating system has been installed and secured, it will be necessary to install the 

chosen Web server software.  Before starting this process, read the vendor documentation 

carefully and understand the various options available during the install process.  Also be sure 

to visit the vendor's Web site or vulnerability database Web site, such as the ICAT metabase 

(

http://icat.nist.gov

), to determine if there are known vulnerabilities and related patches 

available that should be installed or configured as part of the setup process.  Only after these 

preliminary steps are accomplished should the install be started.  Note that this section 

discusses only generic installation and configuration procedures; for specifics on Apache and 

IIS, see Appendixes A and B, respectively.   

5.1 Securely 

Installing the Web Server  

In many respects, the secure install and configuration of the Web server application will mirror 

the operating system process discussed in the Section 3.  The overarching principle, as before, 

is to install the minimal amount of Web server services required and eliminate any known 

vulnerabilities through patches or upgrades.  If the installation program installs any 

unnecessary applications, services, or scripts, they should be removed immediately once the 

installation process completes.  During the installation of the Web server, the following steps 

should be performed: 

1.  Install the server software on a dedicated host 

2.  Install the minimal Internet services required 

3.  Apply any patches or upgrades to correct for known vulnerabilities 

4.  Create a dedicated physical disk or logical partition (separate from operating system 

and server application) for Web content 

5.  Remove or disable all services installed by the Web server application but not 

required (e.g., gopher, FTP, and remote administration) 

6.  From the Web server application root directory, remove all files that are not part of the 

Web site  

7.  Remove all sample documents, scripts, and executable code 

8.  Remove all vendor documentation from server 

9.  Apply appropriate security template or hardening script to server (see Appendix E) 

10.  Reconfigure HTTP service banner (and others as required) NOT to report Web server 

and operating system type and version.  (This can be accomplished in IIS using the 

Microsoft's free IIS Lockdown Tool and in Apache via the  ServerTokens  directive.)   

27