The Security of Web Server Software Programs - Webmasters - Site Security

The Security of Web Server Software Programs   by S Avery MSc BA(Hons)

in Webmasters / Site Security    (submitted 2010-10-17)

As with Web server operating systems, discussed in another article, "The more complex the Web server software is, the greater is the chance that something will go wrong." Generally speaking, the more functionality and features that are provided by a Web server, the greater is the likelihood that there are security holes in the software.

Basic Web server software that merely provides access to static files is more secure than sophisticated Web server software that provides functions such as the execution of CGI scripts, the processing of server-side includes, the handling of scripted errors, and the dynamic listing of directories.

Web server software also differs in the degree of control accorded to browser users. Certain Web servers allow users access to only certain documents or directories or sub-directories, while some Web servers allow full access to everything. Some can be configured to allow access to certain directories according to the IP address of the client machine, or to individuals who know the right password. There are a few Web servers that offer data encryption, a necessity for e-commerce web sites. These are mainly commercial Web servers.

Here is some advice on how to make a Web server more secure:

- By their nature, Web servers have security holes. One of the most common causes of a breach of security is the CGI script. If you cannot get a CGI programming expert to check the scripts' code, at least test the scripts to ensure that they verify the data entered by a browser user before granting access to confidential documents or any services provided by the Web server's operating system.

- Configure the Web server carefully.

- Executable files should be allowed to run only in certain directories that you specify.

- Source code should not be stored anywhere where it can be downloaded.

- Automatic directory indexing should be switched off. If you use an external Web hosting company and you cannot switch it off, ensure that all accessible sub-directories contain a default file such as 'index.html' that redirects the browser to the home page.

- If you do not need them, disable Content Management Systems and other features that allow browser users to edit and manage files on remote Web servers, such as WebDAV, SMB, SharePoint, etc.

- Identify potential weak points by utilizing the security tools that come with the Web server software and the Operating System, such as the Microsoft Internet Information Services (IIS) Lockdown Tool and the URLScan security tool.

- Private and public information should be kept physically well apart. Confidential or sensitive data should not reside on the same machines as publicly accessible Web servers. Intranets should always be protected by a firewall, but extranets can be tricky, if you want to allow certain outsiders to have access to some private data. An extranet Web server should be located outside the firewall. (This is known as a "sacrificial lamb" configuration.) A variation is to set up paired "inner" and "outer" Web servers. Another possibility is to use a proxy, which intercepts requests and forwards them to the Web server, and then does the same in the reverse direction. Ideally, any publicly accessible Web server should be located on a machine other than that on which the firewall resides.

- A Web server logs all requests. Log files should be checked regularly for any unusual entries, and anything suspicious should be investigated.

- Users' and user groups' access should be restricted to only what they need. Set access levels and permissions accordingly by means of the operating system's security software. For Unix systems, the Computer Oracle and Password System (COPS) checks for many common misconfigurations. (Network Administrators often create a user group called "www" for trusted users, such as Web authors, and only members of this group have 'write' permission for the document root directory and its sub-directories. For maximum security of the server root directory, which contains the system configuration files, the Network Administrator sometimes gives the Web Master a special "www" user status, the only one with 'write' permission for it.)

- Keep an eye on what users are doing on the network. Security holes can be created innocently by uninformed users if they install one of the many free Web servers that are readily available.