Post on 28-Dec-2015
Module 2:
The Web Server
1
Overview
• The Web Server
• Overview of IIS
• Overview of Apache
2
Web Server Defined
Web server is a computer program that delivers (serves) content such as web pages, using the Hypertext Transfer Protocol (HTTP), over the World Wide Web.
Web Server Market Share
Market Share for Top Servers Across All Domainsas of November 2010 source: netcraft.com
Developer October 2010 Percent November 2010 Percent Change
Apache 135,209,162 58.07% 148,085,963 59.36% 1.29
Microsoft 53,525,841 22.99% 56,637,980 22.70% -0.28
nginx 14,130,907 6.07% 15,058,114 6.04% -0.03
Google 14,971,028 6.43% 14,827,157 5.94% -0.49
lighttpd 1,380,160 0.59% 2,070,300 0.83% 0.24
Web server Common features
• Virtual hosting
• Large file support
• Bandwidth throttling
• Server-side scripting
7
Internet Information Services (IIS)
• Overview of IIS
• IIS Features
• IIS Authentication
• The .Net Framework
• ASP.Net
IIS 7 Overview
• Complete redesign and rewrite of IIS,
• Shipped with Windows Vista and Windows Server 2008.
• Includes a new modular design that allows for a lessened attack surface and increased performance.
• Introduces a hierarchical configuration system allowing for simpler site deploys
• New Windows Forms based management application
• New command line management options
• Increased support for the .NET Framework
• IIS 7.0 on Vista does not limit the number of allowed connections as IIS on XP did
8
IIS Features
IIS 7.5 Supports the following features
•HTTP - Hyper Text Transfer Protocol
•HTTPS - Hyper Text Transfer Protocol Secure
•FTP – File Transfer Protocol
•FTPS – File Transfer Protocol Secure
•SMTP – Simple Mail Transfer Protocol
•NNTP – Network News Transfer Protocol
IIS Request Processing
10
IIS Authentication
IIS 5.0 and higher support the following authentication mechanisms:
•Basic access authentication
•Digest access authentication
•Integrated Windows Authentication
•.NET Passport Authentication (not supported in Windows Server 2008 and above)
IIS 7.5 includes the following additional security features:
•Client Certificate Mapping
•IP Security
•Request Filtering
•URL Authorization
15
Introduction to the .Net framework
The .NET Framework is:
•Common Language Runtime – provides an abstraction layer over the operating system
•Base Class Libraries – pre-built code for common low-level programming tasks
•Development frameworks and technologies – reusable, customizable solutions for larger programming tasks
16
Introduction to the .Net Framework cont.
The .NET Framework allows you to:
•Apply common skills across a variety of devices, application types, and programming tasks
•Integrate with other tools and technologies to build the right solution with less work
•Build compelling applications faster
17
Components of the .NET Framework
18
Common Language Runtime
.NET Framework Class Library
ADO.NET ASP.NET User Interfaces
Visual C# Visual Basic Visual J# Visual
C++ JScript ThirdParty
IIS and ASP.Net
IIS Versions
Almost every version of IIS was released either along or with a version of Microsoft Windows operating system with the exception of IIS 1.0 which was initially released as a free add-on for Windows NT 3.51.
•IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition
•IIS 7.0, Windows Server 2008 and Windows Vista (Home Premium, Business, Enterprise, Ultimate Editions)
•IIS 7.5, Windows Server 2008 R2 and Windows 7
Common Security Threats in IIS
• IIS is plagued with buffer overflows
• Inability to properly filter requests
To Fix Common Threats
• You should configure the URL Scan filter to reject maliciously formed HTTP requests
• Change the ISAPI extensions, such as .htr, .idq, .ism, and .printer
• Don’t install samples or remote administrations tools on new installs
• Only installed modules required by your application
Process for Securing Web Sites and Applications
32
Overview of Apache
Overview of Apache
• Apache HTTP Server, commonly referred to as Apache is web server software
• Played a key role in the initial growth of the World Wide Web
• Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation
Overview of Apache
• Since April 1996 Apache has been the most popular HTTP server software in use
• As of November 2010 Apache served over 59.36% of all websites and over 66% of the million busiest
• The majority of web servers using Apache run a Unix-like operating system
Apache Features
• Apache supports a variety of features, many implemented as compiled modules
• The modular nature allows you to only install and activate needed modules
• The following core modules are required:
Module Description
core Core Apache HTTP Server features that are always available
mod_accessAccess control based on client hostname, IP address, or other characteristics of the client request
mod_auth User authentication using text files
mod_dir Provides for "trailing slash" redirects and serving directory index files
mod_log_config Logging of the requests made to the server
mod_mimeAssociates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)
Virtual hosting
• For example, one machine with one Apache installation could simultaneously serve www.example.com, www.test.com, test47.test-server.test.com, etc.
• Apache features configurable error messages
36
Apache Features
• Some common language interfaces support Perl, Python, Tcl, and PHP
• Popular authentication modules include mod_access, mod_auth, mod_digest, and mod auth_digest, the successor to mod_digest
Apache Web server
Apache System Requirements
• Java 1.4.x or greater.
• ANT 1.6.3 or greater.
• JUnit 3.8.2 if you wish to run the unit tests.
• CPU, Disk and Memory requirements are based on the many choices made in implementing Lucene
Common Security Threats Apache
• Keep up to Date
• Permissions on Server Root Directories
• Server Side Includes
• Protect Server Files by Default
• Watching Your Logs
• Protecting System Settings
Typical Attack Process
Reduce the Attack Surface
Review
• The Web Server
• Overview of IIS
• Overview of Apache
51
52