Web Server Security Overview                                                       

 

Many government entities have embraced the Web as a tool to disseminate information to their constituents. The growing expectation is that interactive government service delivery and the procurement of supplies and services will migrate to the online environment as well. As this expectation is realized, the visibility of Websites will continue to increase and governments will be more reliant on them for conducting day-to-day operations.

 

The constituents, vendors, and government employees who interact with the government in this new online environment will expect accessible and reliable information, live interaction with government service providers, stable connections, e-commerce abilities and secure transmission and storage of information submitted online. Security exposures are introduced by each of these expectations. Web documents and images can be altered or deleted, Web servers can be used as a base for internal network attacks, and online privacy can be compromised.

 

At this point, courts are using the Web to provide general information about the courts.  Many courts currently have static Web pages in which the information is coded in HTML files that are linked together via hypertext links.  Courts are beginning to connect their Websites to databases in order to provide more information via active content.  It is anticipated that courts may soon be accepting monetary payments on-line. In an online world, where the risks are high, it is essential to adhere to sound practices that mitigate such risk.  The level of controls required should be consistent with the risk.  Websites that use active content and process financial transactions will require more controls than a Website with static information only.

 

Web Server Security Standards

 

Minimum Security Option    

 

 

1.      Only the system administrators shall have administrative accounts on the Web servers.  Developers and Web masters shall only have access to the directories required to do their job.

2.      Remove all unneeded services from the Web server.  If FTP is required, ensure that anonymous FTP access is not allowed.

3.      Disallow all remote administration unless it requires strong authentication and access is encrypted. 

4.      Log all user activity and maintain logs either on the Web server or on an internal server.  Regularly review the logs for security related events.

5.      Remove the default document trees, files, scripts, and programs from the Web server.

6.      Identify and install security related patches in a timely manner.

7.      The Web server will be purchased from a reputable company. The Web server plays a significant role as the presentation layer start and end point of an e-business customer transaction. If an Internet application is confined to Web publishing, a basic Web server such as Apache, MS IIS, or iPlanet Web Server, FastTrack Edition will do fine. Both Apache and iPlanet, FastTrack Edition, are available as a free download. MS IIS is a built-in component of Windows 2000. In contrast, if the application requires a Web-based, distributed application and transaction environment, then look into one of the commercial Web application servers that will provide not only the Web server, but also a development platform for building, deploying, and managing e-business applications.[1]

8.      Perform complete server backups weekly and incremental backups nightly.  The backup tapes should be stored in a secure, environmentally controlled location.

9.      If connectivity to internal systems is required, then the firewall should be configured to allow only the specific port required to pass from the Web server IP address to the internal database IP address.  A Web server account should be set up on the internal machine with access limited to the functions needed by the Web server.  The Web server account on the internal database server should never have administrative access capabilities.  Another option is for an extract of the required information to be periodically “pushed” from the internal database to a database server in the DMZ.  The nature of the application will determine the best approach to accessing the data.

Optimum Security Option

 

 

In addition to the Minimum Security Option, the courts shall:

1.      Use a firewall to create a Demilitarized Zone (DMZ) to limit the type of traffic allowed to the Web server.  Firewall rules are used to define what traffic to permit to the Web server.  Web servers typically use the HTTP (port 80) and SHTTP SSL (port 443) services.  The DMZ will be configured as described in Diagram 1 (below). 

2.      Vendors typically provide security checklists that show procedures performed to “harden” the Web server application and operating system.  These procedures include steps like changing directory rights, logging configuration, removing script mappings, and others.  System administrators shall obtain these checklists and configure their Web servers accordingly.

Maximum Security Option

In addition to the Optimum Security Option, the courts shall:

1.      Install an Intrusion Detection System sensor in the DMZ and in front of the firewall as shown in Diagram 2 (below). 

2. Maintain Web page originals on a server on a court Intranet and make all changes and updates there; then “push” these updates to the public server through an SSL connection.  This will protect against a corrupted server for a long period of time.
3. Perform complete system backups nightly.  The backup tapes should be stored in a secure, environmentally controlled location.