Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

32
Module 4: Securing the Web Server 1

Transcript of Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Page 1: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Module 4: Securing the Web Server

1

Page 2: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Overview

• Securing IIS

• Securing Apache

2

Page 3: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

3

Securing IIS

Page 4: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Securing IIS Servers

• Installation

• Authentication

• Permissions and Authorization

• Web Applications

• Protect the Metabase

• Monitoring and Logging

• Utilities

• Miscellaneous

• Web sites, products, training

Page 5: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Installation

• Only install necessary components

• Do not have server connected to Ethernet during the installation

• Apply all service packs and hot fixes

• Remove printer and file support

• Disable unnecessary services and subsystems

• Delete sample files

• Delete or move sample scripts

• Remove Internet Explorer

• Security Templates

• Remove any resource kits or SDKs that were installed

• Secure dangerous executables

Page 6: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Authentication

• Anonymous access

• Use of SSL

Page 7: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Permissions & Authorization

• NTFS permissions for website content volumes

• Set initial NTFS permissions settings on the root of the volume

• Administrators : Full control (Apply onto: This folder, sub folders, and files)

• System: Full control (Apply onto: This folder, subfolder sand files)

• Check the box on the Permissions tab to “Reset permissions on all child objects and enable propagation of inheritable permissions”

Page 8: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Best Practices for Website Folders

• Physical folder structure

• /root – starting point of the website

- Home page

• /scr – stores scripts

-Don’t call it “scripts” as this is a tip -off for hackers

• /exe – executables

-Don’t call it “bin” or “cgi-bin” as this is a tip-off for hackers; may not even want to call it “exe”

• images – graphics

-Reduces clutter in other folders and can be removed from logging

Page 9: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

ISAPI Filters vs. ISAPI Extensions

• Filters are DLLs which register “hooks” with IIS so that they will be invoked when certain internal IIS events occur.

• Event triggers pass control of a request or response to an ISAPI filter DLL (Example: SSL encryptions)

• Extensions are DLLs or programs which are associated with files of a certain filename extensions so that when a browser makes a request to such a file, the program is automatically executed.

• Typically script engines or command interpreters

Page 10: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

lISAPI Filters

• Four default filters

• SSPIFILT.DLL – implements SSL encryption for all websites using HTTPS

• COMPFILT.DLL – implements HTTP compressions of requested files using GZIP and DEFLATE protocols

• MD5FILT.DLL – used with Digest authentication

• FPEXEDLL.DLL – provides compatibility with FrontPage

Page 11: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Protect the Metabase

• The “metabase” is IIS’s configuration database (like the system registry)

• Location is determined by a registry value which can be modified (not recommended unless you’re paranoid!)

• Hive: HKEY_LOCAL_MACHINE

• Key: \Software\Microsoft\InetMgr\Parameters

• Value Name: MetadataFile

• Value Type: REG_SZ

• Value Data: <drive letter, path, and filename of the metabase>

• Move the HTTP/FTP root folders off the %systemroot% volume

• Secure the registry key which determines the metabaselocation

• Audit all failed access to the metabasefile

• Set NTFS permissions on the metabasefile to the following:

Administrators: Full Control

System: Full Control

Page 12: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Monitoring and Logging

• Use performance monitor

• Log monitor output to a data file

• Determine an appropriate period of time for monitoring activity

• Get a baseline set of statistics

Page 13: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

What to Monitor?

Active Server Pages

• Errors/Sec

• Request Not Authorized

Disk

• Logical Disk\% of Free Space]

IP

• Datagrams Received Header Errors

• Datagrams Received Unknown Protocol

• Fragment Re-Assembly Failures

Page 14: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Event Viewer Logs

• NTFS File Access Audit

• Audit all the different types of failed access for the entire file system

• Audit successful actions for Everyone for:

-Create Files / Write Data

-Create Folder / Append Data

-Delete Subfolders and Files

-Delete

-Change Permissions

-Take Ownership

Page 15: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

IIS Protocol Logging

• Enable logging at the website

• Disable logging for each folder/file you don’t want to log

• Set the location for the log files

• Secure the log files using NTFS permissions

Page 16: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Utilities

• Resource Kit

• METAEDIT.EXE – IIS configuration tool

• PLAYBACK.EXE –Records incoming traffic on an IIS 5.0 server then allows it to be played back on another server

• Stress test utility

• IIS Permissions Wizard Template Maker

Page 17: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Miscellaneous

• Throttling IIS

-Limit connections

-Set connection timeouts

• Administration Website (HTMLA)

-Secure the site with SSL, authentication, IP address restrictions

Page 18: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Unused Services

• Follow a defense-in-depth approach to securing SQL Server

• Apply service packs and patches

-Use MBSA to detect missing SQL updates

• Disable unused services

-MSSQLSERVER

-SQLSERVERAGENT

-MSSQLServerADHelper

-Microsoft Search

-Microsoft DTC

Page 19: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Top 10 Actions to Secure IIS

• Harden the operating system and apply all relevant security updates

• Remove unnecessary components

• Configure URLScan

• Place content on a separate NTFS partition

• Protect files by using minimal permissions

• Require encryption for sensitive Web traffic

• Do not enable both the Execute and Write permissions on the same Web site

• Run applications using Medium or High application protection

• Use LPA for App Pool Account

• Use IPSec filtering to allow only required traffic (HTTP and HTTPS) to the Web server

Page 20: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Demonstration : Securing IIS 6.0

Page 21: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Unused Services

The IIS Lockdown Tools provides the option to disable unused IIS-related services; however, you should manually disable other unused services

The following services must be running for IIS to run properly :

•Event Log

•License Logging Service

•Windows NTLM Security Support Provider

•Remote Procedure Call (RPC) Service

•Windows NT Server or Windows NT Workstation

•IIS Admin Service

•MSDTC

•World Wide Web Publishing Service

•Protected Storage

Page 22: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

31

Securing Apache

Page 23: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Secure the Operating System

• Offer no network services except HTTP (80/tcp) and HTTPS (443/tcp) to the Internet

• Access to and from the Internet controlled by a firewall

• Apache web server must be the only service running on the machine

• Only necessary Apache modules to be loaded

• Diagnostic web pages and automatic directory listings turned off

32

Page 24: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Minimize the amount of security disclosure

• Run the Apache process under a unique UID

• Limit the Apache process by chrooting/sandboxing

• Ensure no shell programs are in the chroot environment

33

Page 25: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Build Apache with only the modules required:

• Http_core

• Mod_access

• Mod_auth

• Mod_dir

• Mod_log_config

• Mod_mime

Do not install: mod_autoindex and mod_info Compiled statically, which also removes the need for mod_so

34

Page 26: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

10 things you should do to secure Apache

• Update

• Use the right user:group

• Turn off unwanted services

• Disable unused modules

• Restrict access

• Limit request size

• Employ mod_security

• Do not allow browsing outside the document root

• Hide Apache’s version number

• Immunize httpd.conf

Page 27: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Unused Services

• Directory browsing-This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.

• Server side Includes-This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.

• CGI execution-Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.

• Symbolic links-Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.

• None-You can turn off all options (in the same way you set the above) using “None” with the Option directive.

Page 28: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Patching

A "Patch" is the set of differences between two versions of the same file. A patch comprises one or more "diff" files. These diffs are produced by the program of the same name: diff.

Page 29: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Steps to manually apply the FrontPage Apache patch to a new Apache server

• Before compiling and installing the Apache patch, you must install the FrontPage Server Extensions. When the setup script untars the FrontPage Server Extensions, it also untars the FrontPage Apache patch source file Fp-patch-apache_1.3.x. If you run Fp_install.sh, let it untar the Fp40.platform.tar.Z without installing a root Web or sub/per user Webs, or virtual Webs.

• Copy the Fp-patch-apache_1.3.x into your Apache server build directory (usually /usr/local/Apache_1.3.x). The Fp-patch-apache_1.3.x file is found in/usr/local/frontpage/version4.0/apache-fp/fp-patch-apache_1.3.x.

• Using the GNU version of the patch utility, run the patch command on the FrontPage 2000 Apache patch source file: patch -p0 <fp-patch-apache_1.3.x

• Create the makefile for the patched server. For a server that uses 1.3.0 or later directory structure: ./configure --add-module=mod_frontpage.c

• For a server that uses 1.2.x, directory structure: ./configure --add-module=mod_frontpage.c --compat

Page 30: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Steps to manually apply the FrontPage Apache patch to a new Apache server

• You can append --prefix=/usr/local/apache to get your install directories the way you want them. For instance, for a install directory of /usr/local/apache: ./configure --add-module=mod_frontpage.c --prefix=/usr/local/apache

• Build the Apache server: make

• Install the server: make Install

• After installing the server, you will need to run the Change_server.sh. This file was untarred when you ran the Fp_install.sh script. The Change_server.sh resides in /usr/local/frontpage/version4.0. When you run the Change_server.sh, you will be prompted whether or not to replace the httpd daemon.

• You can install the Server Extensions using Fp_install making sure when prompted to install to Apache-fp when asked which server you are using.

Page 31: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

Apache and MySQL configurations, patching services and cluster

Page 32: Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2.

43