Web Server Security

Some tips and guidelines from various sources re hardening a web server install.

Security Vulnerabilities

The recently published SANS resources list includes the following general critical internet security vulnerabilities. The SANS site includes details for addressing these vulnerabilites..

Default installs of operating systems and applications
Accounts with No Passwords or Weak Passwords
Non-existent or Incomplete Backups
Large number of open ports
Not filtering packets for correct incoming and outgoing addresses
Non-existent or incomplete logging
Vulnerable CGI Programs

Windows (IIS) specific..

Unicode Vulnerability (Web Server Folder Traversal)
ISAPI Extension Buffer Overflows
IIS RDS exploit (Microsoft Remote Data Services)
NETBIOS - unprotected Windows networking shares
Information leakage via null session connections
Weak hashing in SAM (LM hash)

Unix specific vulnerabilities...

Buffer Overflows in RPC Services
Sendmail Vulnerabilities
Bind Weaknesses
R Commands
LPD (remote print protocol daemon)
sadmind and mountd
Default SNMP Strings

Other Reccomendations

Dont allow web service to run as root. Startup using anonymous account which has limited privilege
Remove 'test-cgi' from /cgi-bin folder/s or at least remove execute privilege for anonymous user.

References/Resources:

Security Focus (Bugtraq)
Internet Security Systems - X-Force
The Twenty Most Critical Internet Security Vulnerabilities
Slashdot Article on the Above
Security in (NZ) Government Departments
RainForestPuppy
Microsoft Attempts to Secure IIS (SlashDot)

See Also: Front Page

See Also: Home Links Personal Site Blogroll FriendFeed CV
Wiki Menu: FrontPage Edit References Delete Changes Formatting Index Tags:	Web Server Security Some tips and guidelines from various sources re hardening a web server install. Security Vulnerabilities The recently published SANS resources list includes the following general critical internet security vulnerabilities. The SANS site includes details for addressing these vulnerabilites.. Default installs of operating systems and applications Accounts with No Passwords or Weak Passwords Non-existent or Incomplete Backups Large number of open ports Not filtering packets for correct incoming and outgoing addresses Non-existent or incomplete logging Vulnerable CGI Programs Windows (IIS) specific.. Unicode Vulnerability (Web Server Folder Traversal) ISAPI Extension Buffer Overflows IIS RDS exploit (Microsoft Remote Data Services) NETBIOS - unprotected Windows networking shares Information leakage via null session connections Weak hashing in SAM (LM hash) Unix specific vulnerabilities... Buffer Overflows in RPC Services Sendmail Vulnerabilities Bind Weaknesses R Commands LPD (remote print protocol daemon) sadmind and mountd Default SNMP Strings Other Reccomendations Dont allow web service to run as root. Startup using anonymous account which has limited privilege Remove 'test-cgi' from /cgi-bin folder/s or at least remove execute privilege for anonymous user. References/Resources: Security Focus (Bugtraq) Internet Security Systems - X-Force The Twenty Most Critical Internet Security Vulnerabilities Slashdot Article on the Above Security in (NZ) Government Departments RainForestPuppy Microsoft Attempts to Secure IIS (SlashDot) See Also: Front Page
Top Of Page Home Wiki Home Contact Author

http://webdev.co.nz/wiki/