Web Server Configuration
In addition to checking the use of file, directory, and database security on the Web server, it is important to check many other aspects of the Web server's configuration. Web server installation and configuration has been determined by Sans to be the single biggest cause of security breaches.
A number of installation/configuration issues and security "holes" have been found (and will continue to be found) in many of the leading Web servers, so it is very important to check that the Web server administrator is keeping up-to-date with patches that fix such security holes, using Web sites and newsgroups.
For Microsoft Web server administrators, the following pages are useful:
It is also worth subscribing to the Microsoft Security Notification Service and considering the book Securing Windows NT/2000 Servers (O'Reilly & Associates, 2000).
Unix Web server administrators might want to consider the book Practical Unix & Internet Security (O'Reilly & Associates, 2000), by Stefan Norberg and Russel Deborah.
Some of the issues these sites raise deal with the way that the Web server is initially setup/configured. For example, it is important that the Web server is not run as the superuser (or root) because that can provide unexpected privileges to those using the Web site.
It is important to ensure that the number of services available on the Web server is minimized. Services that can be disabled in many situations include mail (SMTP), FTP, Telnet, netstat/systat, DNS, and so on. Even CGI and ASP support can and should be turned off (either at the directory level for directories that do not require executable code or for the whole Web site).
It is also prudent to check that any ports that will not be used are closed on the Web server. One of the most common methods of hacking is to identify which ports are enabled within a Web server using a utility freely available on the Web and then to use the appropriate one to gain access to the Web server.
Old and unsafe executable scripts (cgi/asp and others) should be removed, and cgi script interpreters should be removed from bin directories.
Most Web servers make it possible to restrict access to particular directories to specific computers located on the Internet (specified by either IP address or DNS hostname). If the use of this feature is appropriate, the auditor should ensure that it is used.
The general guideline for server configuration and installation is to provide the minimum access and services to users possible, and to turn off or delete any service or file that is not used.
Provide the minimum level of directory/file level security possible, turn on/off scripting as appropriate, ensure that EXE files and other key files are not accessible to anyone browsing the Web unless they have to be. Rename key files wherever possible. Rename key user accountsfor example, sa on the database should be renamed so that it is not easily guessed and should be given a password known to very few people.
For more ideas on how to reduce the number of services and the level of access as much as possible, see Microsoft's guide to its base configuration. Microsoft also provides a tool to help you to lock down your IIS Server effectively: http://www.microsoft.com/technet/security/tools/locktool.asp.