Guidelines on Securing Public Web Servers

These actions will protect to some degree against attacks that attempt to fill the file system on 

the Web server host operating system with extraneous and incorrect information that may 

cause the system to crash.  This will also protect against attacks that attempt to fill primary 

random access memory (RAM) with unnecessary processes to slow down or crash the system, 

thus limiting Web service availability.  Logging information generated by the Web server host 

operating system may help in recognizing such attacks (see Section 9.1). 

In addition, it is often necessary to configure timeouts and other controls to further reduce the 

impact of certain DoS attacks.  One type of DoS attack, when it is perpetrated, takes advantage 

of the practical limits on simultaneous network connections by quickly establishing 

connections up to the maximum permitted, such that no new legitimate users can gain access.  

By setting network connection timeouts (the time after which an inactive connection is 

dropped) to a minimum acceptable time limit, established connections will time out as quickly 

as possible, opening up new connections to legitimate users.  This measure only mitigates the 

effects; it does not defeat the attack. 

If the maximum number of open connections (or connections that are half open   that is, the 

first part of the TCP handshake was successful) is set to a low number, an attacker can easily 

consume the available connections with illegitimate requests (often called a SYN flood).  

Setting the maximum to a much higher number may mitigate the effect of such an attack, but 

at the expense of consuming additional resources.  Note that this is only an issue for Web 

servers that are not protected by a firewall that stops SYN flood attacks.  Most current 

enterprise level firewalls protect a Web server from a SYN flood by intercepting the attack 

before it reaches the Web server.   

5.2.2  Configuring Secure Web Content Directory 

Do not use links, aliases, or shortcuts in the public Web content file directory tree that points to 

directories or files elsewhere on the server host or the network file system.  If possible, disable 

the ability of the Web server software to follow links and aliases.  As stated earlier, Web server 

log files and configuration files should reside outside the specified file directory tree for public 

Web content. 

The following steps are required to restrict access to a specific Web content file directory tree: 

Dedicate a single hard drive or logical partition for Web content and establish related 

subdirectories exclusively for Web server content files, including graphics but 

excluding scripts and other programs.  

Define a single directory exclusively for all external scripts or programs executed as 

part of Web content (e.g., CGI, Active Server Page [ASP], Hypertext Preprocessor 

[PHP]).  

Disable the execution of scripts that are not exclusively under the control of 

administrative accounts.  This action is accomplished by creating and controlling 

access to a separate directory intended to contain authorized scripts.  

Disable the use of hard or symbolic links.  

Define a complete Web content access matrix.  Identify which folders and files within 

the Web server document are restricted and which are accessible (and by whom). 

30