SlideShare une entreprise Scribd logo

Web Server Hardening

n|u - The Open Security Community
n|u - The Open Security Community

Web Server Hardening by Supraja Shankaran @ null Pune Meet, September 2011

Technologie
1  sur  31
Télécharger pour lire hors ligne
Web Server Hardening Supraja Shankar Symbiosis Institute Of Computer Studeies And Research
Web server ● It’s a client – server architecture ● The function of a web server is to service requests made through HTTP protocol.
Main threats to a web server • Profiling • Denial of service • Unauthorized access • Arbitrary code execution • Elevation of privileges • Viruses, worms, and Trojan horses Source: http://msdn.microsoft.com/en-us/library/ff648653.aspx
Apache
An overview ● Apache runs under multitasking operating system. ● httpd for unix and apache.exe for Win ● Usually runs in background ● Originally named from A PAtCHy in 1991 ● Open source under Apache License
Structure Source: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
Core structure Source: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
Securing Apache
Securing apache ● mod_auth ● For authorizing content ● AuthUserFilefile-path tells the file where username and password saved. ● Passwd can be set by htpasswd command ● mod_access ● Limits access ● Can be whole set of IP’s or narrow down to ports ● Deny/ Allow/ Order
Hardening Remove default apache files sudorm –fr /opt/apache2/htdocs/* ~>sudorm –fr /opt/apache2/cgi-bin/* ~>sudorm –fr /opt/apache2/icons Hide the apache version number ServerSignature Off ServerTokensProd Chroot
Hardening From Source ●userdir – Mapping of requests to user-specific directories. i.e username in URL will get translated to a directory in the server ●autoindex – Displays directory listing when no index.html file is present ●status – Displays server stats ●env – Clearing/setting of ENV vars ●setenvif – Placing ENV vars on headers ●cgi – CGI scripts ●actions – Action triggering on requests ●negotiation – Content negotiation ●alias – Mapping of requests to different filesystem parts ●include – Server Side Includes ●filter – Smart filtering of request ●version – Handling version information in config files using IfVersion ●as-is – as-is filetypes
IIS
What is IIS? ♦ IIS (Internet Information Server) is a group of Internet servers (including a Web or Hypertext Transfer Protocol server and a File Transfer Protocol server) with additional capabilities for Microsoft's Windows NT and Windows 2000 Server operating systems. ♦ IIS is Microsoft's entry to compete in the Internet server market that is also addressed by Apache, Sun Microsystems, O'Reilly, and others. ♦ With IIS, Microsoft includes a set of programs for building and administering Web sites, a search engine, and support for writing Web-based applications that access databases. ♦ Microsoft points out that IIS is tightly integrated with the Windows NT and 2000 Servers in a number of ways, resulting in faster Web page serving.
TOPOLOGY Source: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24016818.html
FEATURES ◙ HTTP modules ◙ Security modules ◙ Content modules ◙ Compression modules ◙ Caching modules ◙ Logging and Diagnostics modules
Vulnerabilities Microsoft has been criticized for IIS's susceptibility to computer virus attacks such as Code Red and Nimda.  According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
Securing IIS
Hardening Domains
GENERAL • Do not connect an IIS Server to the Internet until it is fully hardened. • Place the server in a physically secure location. • Do not install the IIS server on a domain controller. • Do not install a printer. • Use two network interfaces in the server — one for admin and one for the network. • Install service packs, patches and hot fixes. • Run IISLockdown run on the server. • Install and configure URLScan. • Secure remote administration of the server and configure for encryption, - low session time-outs - account lockouts. • Disable unnecessary Windows services. • Ensure services are running with least-privileged accounts. Continued….
GENERAL (contd..) • Disable FTP, SMTP and NNTP services if they are not required. • Disable Telnet service. • Disable ASP.NET state service if not used by your applications. • Disable webDAV if not used by the application, or secure it if it is required. • Do not install Data Access Components unless specifically needed. • Do not install the HTML version of the Internet Services Manager. • Do not install the MS Index Server unless required. • Do not install the MS FrontPage Server extensions unless required. • Harden TCP/IP stack. • Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445). • Reconfigure Recycle Bin and Page file system data policies. • Secure CMOS settings. • Secure physical media (floppy drive, CD-ROM drive and so on).
ACCOUNTS • Remove unused accounts from the server. • Disable Windows Guest account. • Rename Administrator account and set a strong password. • Disable IUSR_MACHINE account if it is not used by the application. • Create a custom least-privileged anonymous account if applications require anonymous access. • Do not give the anonymous account write access to Web content directories or allow it to execute command-line tools. • If you host multiple Web applications, configure a separate anonymous user account for each one. Continued….
ACCOUNTS (contd..) Configure ASP.NET process account for least privilege. (This • only applies if you are not using the default ASP.NET account, which is a least-privileged account.) • Enforce strong account and password policies for the server. • Restrict remote logons. (The "Access this computer from the network" user-right is removed from the Everyone group.) • Do not share accounts among administrators. • Disable Null sessions (anonymous logons). • Require approval for account delegation. • Do not allow users and administrators to share accounts. • Do not create more than two accounts in the Administrators group. • Require administrators to log on locally or secure the remote administration solution.
FILES AND DIRECTORIES • Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders. • Contain files and directories on NTFS volumes. • Put Web site content on a non-system NTFS volume. • Create a new site and disable the default site. • Put log files on a non-system NTFS volume but not on the same volume where the Web site content resides. • Restrict the Everyone group (no access to WINNTsystem32 or Web directories). • Ensure Web site root directory has deny write ACE for anonymous Internet accounts. • Ensure content directories have deny write ACE for anonymous Internet accounts.
FILES AND DIRECTORIES (Contd..) Remove remote IIS administration application • (WINNTSystem32InetsrvIISAdmin). • Remove resource kit tools, utilities and SDKs. • Remove sample applications (WINNTHelpIISHelp, InetpubIISSamples). • Remove IP address in header for Content-Location. SHARES • Remove all unnecessary shares (including default administration shares). • Restrict access to required shares (the Everyone group does not have access). • Remove Administrative shares (C$ and Admin$) if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
PORTS • Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used). • Encrypt Intranet traffic (for example, with SSL), or restrict Internet traffic if you do not have a secure data center infrastructure. REGISTRY • Restrict remote registry access. • Secure SAM (HKLMSystemCurrentControlSetControlLSANoLMHas h). This applies only to standalone servers.
AUDITING AND LOGGING • Audit failed logon attempts. • Relocate and secure IIS log files. • Configure log files with an appropriate file size depending on the application security requirement. • Regularly archive and analyze log files. • Audit access to the Metabase.bin file. • Configure IIS for W3C Extended log file format auditing. • Read How to use SQL Server to analyze Web logs at support.microsoft.com
SITES AND VIRTUAL DIRECTORIES • Put Web sites on a non-system partition. • Disable "Parent paths" setting. • Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts. • Remove or secure MSADC virtual directory (RDS). • Do not grant included directories Read Web permission. • Restrict Write and Execute Web permissions for anonymous accounts in virtual directories. • Ensure there is script source access only on folders that support content authoring. • Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). • Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. • Remove the IIS Internet Printing virtual directory.
SCRIPT MAPPING • Map extensions not used by the application to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). • Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config. ISAPI FILTERS • Remove from the server unnecessary or unused ISAPI filters. IIS METABASE • Restrict access to the metabase by using NTFS permissions (%systemroot%system32inetsrvmetabase.bin). • Restrict IIS banner information (Disable IP address in content location).
SERVER CERTIFICATES • Ensure certificate date ranges are valid. • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). • Ensure the certificate's public key is valid, all the way to a trusted root authority. • Confirm that the certificate has not been revoked. Machine.config • Map protected resources to HttpForbiddenHandler. • Remove unused HttpModules. • Disable tracing. <trace enable="false"/> • Turn off debug compiles. <compilation debug="false" explicit="true" defaultLanguage="vb">
references localhost/manual http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://security.stackexchange.com/questions/77/apache-server-hardening http://www.linuxquestions.org/questions/linux-software-2/how-apache-works-with-php-mysql-whatever-85685/ http://docstore.mik.ua/orelly/linux/apache/ch01_01.htm http://www.devshed.com/c/a/Apache/Apache-and-the-Internet/1/ http://www.symantec.com/connect/articles/securing-apache-step-step http://www.devdaily.com/unix/edu/UnixSysAdmin/node169.shtml http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://www.opensourcevarsity.com/phpbasics/l4bindingphptoapache http://searchsecurity.techtarget.com/feature/Windows-IIS-server-hardening-checklist http://en.wikipedia.org/wiki/Internet_Information_Services http://searchwindowsserver.techtarget.com/definition/IIS http://www.microsoft.com/web/platform/server.aspx http://www.faqs.org/docs/apache-compile/php.html http://dan.drydog.com/apache2php.html
“Security is a not a product, but a process.” - Bruce Scheiner THANK YOU

Recommandé

SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 

Recommandé

SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team ApocalypseBeau Bullock
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 AuthenticationInformation Technology
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)Ahmed Banafa
 
Secure architecture principles isolation and leas(CSS unit 3 Part 1)
Secure architecture principles isolation and leas(CSS unit 3 Part 1)Secure architecture principles isolation and leas(CSS unit 3 Part 1)
Secure architecture principles isolation and leas(CSS unit 3 Part 1)SURBHI SAROHA
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Wail Hassan
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql InjectionNSConclave
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Secure SHell
Secure SHellSecure SHell
Secure SHellÇağrı Çakır
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 
Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 

Contenu connexe

Tendances

Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team ApocalypseBeau Bullock
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)Ahmed Banafa
 
Secure architecture principles isolation and leas(CSS unit 3 Part 1)
Secure architecture principles isolation and leas(CSS unit 3 Part 1)Secure architecture principles isolation and leas(CSS unit 3 Part 1)
Secure architecture principles isolation and leas(CSS unit 3 Part 1)SURBHI SAROHA
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Wail Hassan
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql InjectionNSConclave
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 

Tendances (20)

Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
LDAP
LDAPLDAP
LDAP
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
 
Secure architecture principles isolation and leas(CSS unit 3 Part 1)
Secure architecture principles isolation and leas(CSS unit 3 Part 1)Secure architecture principles isolation and leas(CSS unit 3 Part 1)
Secure architecture principles isolation and leas(CSS unit 3 Part 1)
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
 

En vedette

Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycleGopakumar Kunduveetil
 
Telecommunication system
Telecommunication systemTelecommunication system
Telecommunication systemJamilah Abbas
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedPort80 Software
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST AssuredBas Dijkstra
 
Web Cookies
Web CookiesWeb Cookies
Web Cookiesapwebco
 
Apache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya KulkarniApache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya Kulkarniwebhostingguy
 
세션 하이재킹
세션 하이재킹세션 하이재킹
세션 하이재킹Yu Yongwoo
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Ted Kulp
 

En vedette (20)

Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by Aswin
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelines
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycle
 
Telecommunication system
Telecommunication systemTelecommunication system
Telecommunication system
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting Started
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST Assured
 
Web Cookies
Web CookiesWeb Cookies
Web Cookies
 
Apache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya KulkarniApache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya Kulkarni
 
세션 하이재킹
세션 하이재킹세션 하이재킹
세션 하이재킹
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Smarty sharing-2
Smarty sharing-2Smarty sharing-2
Smarty sharing-2
 
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101
 
Cmsms, open source & business model
Cmsms, open source & business modelCmsms, open source & business model
Cmsms, open source & business model
 
Cookie and session
Cookie and sessionCookie and session
Cookie and session
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Mvc architecture
Mvc architectureMvc architecture
Mvc architecture
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 

Similaire à Web Server Hardening

be the captain of your connections deployment
be the captain of your connections deploymentbe the captain of your connections deployment
be the captain of your connections deploymentSharon James
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IISsanya6900
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IISsanya6900
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
06.m3 cms set-upwebserver
06.m3 cms set-upwebserver06.m3 cms set-upwebserver
06.m3 cms set-upwebservertarensi
 
Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01arunparmar
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 20161049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016panagenda
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesScott Hoag
 
Installation & configuration
Installation & configurationInstallation & configuration
Installation & configurationSyAM Software
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodologylaeshin park
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Web server architecture
Web server architectureWeb server architecture
Web server architectureTewodros K
 
Locking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverLocking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverHitachi ID Systems, Inc.
 
Soccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM ConnectionsSoccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM Connectionspanagenda
 

Similaire à Web Server Hardening (20)

be the captain of your connections deployment
be the captain of your connections deploymentbe the captain of your connections deployment
be the captain of your connections deployment
 
Add a web server
Add a web serverAdd a web server
Add a web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
06.m3 cms set-upwebserver
06.m3 cms set-upwebserver06.m3 cms set-upwebserver
06.m3 cms set-upwebserver
 
Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01Understandingiis 120715123909-phpapp01
Understandingiis 120715123909-phpapp01
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 20161049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst Practices
 
Installation & configuration
Installation & configurationInstallation & configuration
Installation & configuration
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Web server architecture
Web server architectureWeb server architecture
Web server architecture
 
Locking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverLocking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite server
 
Soccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM ConnectionsSoccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM Connections
 

Plus de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Dernier (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Web Server Hardening

  • 1. Web Server Hardening Supraja Shankar Symbiosis Institute Of Computer Studeies And Research
  • 2. Web server ● It’s a client – server architecture ● The function of a web server is to service requests made through HTTP protocol.
  • 3. Main threats to a web server • Profiling • Denial of service • Unauthorized access • Arbitrary code execution • Elevation of privileges • Viruses, worms, and Trojan horses Source: http://msdn.microsoft.com/en-us/library/ff648653.aspx
  • 5. An overview ● Apache runs under multitasking operating system. ● httpd for unix and apache.exe for Win ● Usually runs in background ● Originally named from A PAtCHy in 1991 ● Open source under Apache License
  • 9. Securing apache ● mod_auth ● For authorizing content ● AuthUserFilefile-path tells the file where username and password saved. ● Passwd can be set by htpasswd command ● mod_access ● Limits access ● Can be whole set of IP’s or narrow down to ports ● Deny/ Allow/ Order
  • 10. Hardening Remove default apache files sudorm –fr /opt/apache2/htdocs/* ~>sudorm –fr /opt/apache2/cgi-bin/* ~>sudorm –fr /opt/apache2/icons Hide the apache version number ServerSignature Off ServerTokensProd Chroot
  • 11. Hardening From Source ●userdir – Mapping of requests to user-specific directories. i.e username in URL will get translated to a directory in the server ●autoindex – Displays directory listing when no index.html file is present ●status – Displays server stats ●env – Clearing/setting of ENV vars ●setenvif – Placing ENV vars on headers ●cgi – CGI scripts ●actions – Action triggering on requests ●negotiation – Content negotiation ●alias – Mapping of requests to different filesystem parts ●include – Server Side Includes ●filter – Smart filtering of request ●version – Handling version information in config files using IfVersion ●as-is – as-is filetypes
  • 12. IIS
  • 13. What is IIS? ♦ IIS (Internet Information Server) is a group of Internet servers (including a Web or Hypertext Transfer Protocol server and a File Transfer Protocol server) with additional capabilities for Microsoft's Windows NT and Windows 2000 Server operating systems. ♦ IIS is Microsoft's entry to compete in the Internet server market that is also addressed by Apache, Sun Microsystems, O'Reilly, and others. ♦ With IIS, Microsoft includes a set of programs for building and administering Web sites, a search engine, and support for writing Web-based applications that access databases. ♦ Microsoft points out that IIS is tightly integrated with the Windows NT and 2000 Servers in a number of ways, resulting in faster Web page serving.
  • 15. FEATURES ◙ HTTP modules ◙ Security modules ◙ Content modules ◙ Compression modules ◙ Caching modules ◙ Logging and Diagnostics modules
  • 16. Vulnerabilities Microsoft has been criticized for IIS's susceptibility to computer virus attacks such as Code Red and Nimda.  According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
  • 19. GENERAL • Do not connect an IIS Server to the Internet until it is fully hardened. • Place the server in a physically secure location. • Do not install the IIS server on a domain controller. • Do not install a printer. • Use two network interfaces in the server — one for admin and one for the network. • Install service packs, patches and hot fixes. • Run IISLockdown run on the server. • Install and configure URLScan. • Secure remote administration of the server and configure for encryption, - low session time-outs - account lockouts. • Disable unnecessary Windows services. • Ensure services are running with least-privileged accounts. Continued….
  • 20. GENERAL (contd..) • Disable FTP, SMTP and NNTP services if they are not required. • Disable Telnet service. • Disable ASP.NET state service if not used by your applications. • Disable webDAV if not used by the application, or secure it if it is required. • Do not install Data Access Components unless specifically needed. • Do not install the HTML version of the Internet Services Manager. • Do not install the MS Index Server unless required. • Do not install the MS FrontPage Server extensions unless required. • Harden TCP/IP stack. • Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445). • Reconfigure Recycle Bin and Page file system data policies. • Secure CMOS settings. • Secure physical media (floppy drive, CD-ROM drive and so on).
  • 21. ACCOUNTS • Remove unused accounts from the server. • Disable Windows Guest account. • Rename Administrator account and set a strong password. • Disable IUSR_MACHINE account if it is not used by the application. • Create a custom least-privileged anonymous account if applications require anonymous access. • Do not give the anonymous account write access to Web content directories or allow it to execute command-line tools. • If you host multiple Web applications, configure a separate anonymous user account for each one. Continued….
  • 22. ACCOUNTS (contd..) Configure ASP.NET process account for least privilege. (This • only applies if you are not using the default ASP.NET account, which is a least-privileged account.) • Enforce strong account and password policies for the server. • Restrict remote logons. (The "Access this computer from the network" user-right is removed from the Everyone group.) • Do not share accounts among administrators. • Disable Null sessions (anonymous logons). • Require approval for account delegation. • Do not allow users and administrators to share accounts. • Do not create more than two accounts in the Administrators group. • Require administrators to log on locally or secure the remote administration solution.
  • 23. FILES AND DIRECTORIES • Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders. • Contain files and directories on NTFS volumes. • Put Web site content on a non-system NTFS volume. • Create a new site and disable the default site. • Put log files on a non-system NTFS volume but not on the same volume where the Web site content resides. • Restrict the Everyone group (no access to WINNTsystem32 or Web directories). • Ensure Web site root directory has deny write ACE for anonymous Internet accounts. • Ensure content directories have deny write ACE for anonymous Internet accounts.
  • 24. FILES AND DIRECTORIES (Contd..) Remove remote IIS administration application • (WINNTSystem32InetsrvIISAdmin). • Remove resource kit tools, utilities and SDKs. • Remove sample applications (WINNTHelpIISHelp, InetpubIISSamples). • Remove IP address in header for Content-Location. SHARES • Remove all unnecessary shares (including default administration shares). • Restrict access to required shares (the Everyone group does not have access). • Remove Administrative shares (C$ and Admin$) if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
  • 25. PORTS • Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used). • Encrypt Intranet traffic (for example, with SSL), or restrict Internet traffic if you do not have a secure data center infrastructure. REGISTRY • Restrict remote registry access. • Secure SAM (HKLMSystemCurrentControlSetControlLSANoLMHas h). This applies only to standalone servers.
  • 26. AUDITING AND LOGGING • Audit failed logon attempts. • Relocate and secure IIS log files. • Configure log files with an appropriate file size depending on the application security requirement. • Regularly archive and analyze log files. • Audit access to the Metabase.bin file. • Configure IIS for W3C Extended log file format auditing. • Read How to use SQL Server to analyze Web logs at support.microsoft.com
  • 27. SITES AND VIRTUAL DIRECTORIES • Put Web sites on a non-system partition. • Disable "Parent paths" setting. • Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts. • Remove or secure MSADC virtual directory (RDS). • Do not grant included directories Read Web permission. • Restrict Write and Execute Web permissions for anonymous accounts in virtual directories. • Ensure there is script source access only on folders that support content authoring. • Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). • Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. • Remove the IIS Internet Printing virtual directory.
  • 28. SCRIPT MAPPING • Map extensions not used by the application to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). • Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config. ISAPI FILTERS • Remove from the server unnecessary or unused ISAPI filters. IIS METABASE • Restrict access to the metabase by using NTFS permissions (%systemroot%system32inetsrvmetabase.bin). • Restrict IIS banner information (Disable IP address in content location).
  • 29. SERVER CERTIFICATES • Ensure certificate date ranges are valid. • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). • Ensure the certificate's public key is valid, all the way to a trusted root authority. • Confirm that the certificate has not been revoked. Machine.config • Map protected resources to HttpForbiddenHandler. • Remove unused HttpModules. • Disable tracing. <trace enable="false"/> • Turn off debug compiles. <compilation debug="false" explicit="true" defaultLanguage="vb">
  • 30. references localhost/manual http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://security.stackexchange.com/questions/77/apache-server-hardening http://www.linuxquestions.org/questions/linux-software-2/how-apache-works-with-php-mysql-whatever-85685/ http://docstore.mik.ua/orelly/linux/apache/ch01_01.htm http://www.devshed.com/c/a/Apache/Apache-and-the-Internet/1/ http://www.symantec.com/connect/articles/securing-apache-step-step http://www.devdaily.com/unix/edu/UnixSysAdmin/node169.shtml http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture http://www.opensourcevarsity.com/phpbasics/l4bindingphptoapache http://searchsecurity.techtarget.com/feature/Windows-IIS-server-hardening-checklist http://en.wikipedia.org/wiki/Internet_Information_Services http://searchwindowsserver.techtarget.com/definition/IIS http://www.microsoft.com/web/platform/server.aspx http://www.faqs.org/docs/apache-compile/php.html http://dan.drydog.com/apache2php.html
  • 31. “Security is a not a product, but a process.” - Bruce Scheiner THANK YOU