@ securing the web environment
DESCRIPTION
TRANSCRIPT
![Page 1: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/1.jpg)
Web Server AdministrationTEC 236
Securing the Web Environment
![Page 2: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/2.jpg)
Overview
Identify threats and vulnerabilities Secure data transmission Secure the operating system Secure server applications
![Page 3: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/3.jpg)
Overview
Authenticate Web users Use a firewall Use a proxy server Use intrusion detection software
![Page 4: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/4.jpg)
Identifying Threats and Vulnerabilities Focus is on threats from the Internet Hackers sometimes want the challenge
of penetrating a system and vandalizing it – other times they are after data Data can be credit card numbers, user
names and passwords, other personal data Information can be gathered while it is
being transmitted Often, operating system flaws can assist
the hacker
![Page 5: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/5.jpg)
Vulnerabilities in Operating Systems Operating systems are large and complex
which means that there are more opportunities for attack
Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available
Some attacks, such as buffer overruns, can allow the attacker to take over the computer
![Page 6: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/6.jpg)
Securing the Operating System Use the server for only necessary tasks Minimize user accounts Disable services that are not needed Make sure that you have a secure password
In addition to using upper case, lower case numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255
Check a table of ALT values to avoid common characters
The use of the ALT key will thwart most hackers
![Page 7: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/7.jpg)
Securing Windows There are many services that are not needed
in Windows for most Internet-based server applications
Alerter Computer browser DHCP client DNS client Messenger Server Workstation
Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names
![Page 8: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/8.jpg)
Vulnerabilities of E-mail Servers By design, e-mail servers are open E-mail servers can be harmed by a
series of very large e-mail messages Sending an overwhelming number of
messages at the same time can prevent valid users from accessing the server
Viruses can be sent to e-mail users Retrieving e-mail over the Internet often
involves sending your user name and password as clear text
![Page 9: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/9.jpg)
Securing E-mail
Exchange 2000 can also use SSL for the protocols it uses
To prevent someone from sending large e-mail messages until the disk is full, set a size limit for each mailbox
![Page 10: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/10.jpg)
Securing Data Transmission To secure data on a network that is
accessible to others, you need to encrypt the data
SSL is the most common method of encrypting data between a browser and Web server
Secure Shell (SSH) is a secure replacement for Telnet
![Page 11: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/11.jpg)
Secure Sockets Layer (SSL) A digital certificate issued by a certification
authority (CA) identifies an organization The public key infrastructure (PKI) defines
the system of CAs and certificates Public key cryptography depends on two
keys A public key is shared with everyone The public key can be used to encrypt data Only the owner of the public key has the
corresponding private key which is needed to decrypt the data
![Page 12: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/12.jpg)
Establishing an SSL Connection
![Page 13: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/13.jpg)
Vulnerabilities in Web servers
Static HTML pages pose virtually no problem
Programming environments and databases add complexity that a hacker can exploit
Programmers often do not have time to focus on security
![Page 14: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/14.jpg)
Securing the Web Server
Enable the minimum features If you don't need a programming
language, do not enable it Make sure programmers
understand security issues Implement SSL where appropriate
![Page 15: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/15.jpg)
Securing the Web Server-IIS The URLScan utility blocks potentially harmful
page requests The IIS Lockdown utility has templates to
ensure that you only enable what you need Change NTFS permissions in \inetpub\wwwroot
from Everyone Full Control to Everyone Execute
In IIS 5, delete \samples \IISHelp and \MSADC folders
Delete extensions you do not use, such as .htr, .idc, .stm, and others
![Page 16: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/16.jpg)
Authenticating Web Users
Both Apache and IIS use HTTP to enable authentication HTTP tries to access a protected
directory and fails Then it requests authentication from the
user in a dialog box Accesses directory with user information
Used in conjunction with SSL
![Page 17: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/17.jpg)
Configuring User Authentication in IIS Four types of authenticated access
Windows integrated authentication Most secure – requires IE
Digest authentication for Windows domain servers
Works with proxy servers Requires Active Directory and IE
Basic authentication User name and password in clear text Works with IE, Netscape, and others
Passport authentication Centralized form of authentication Only available on Windows Server 2003
![Page 18: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/18.jpg)
Using a Firewall A firewall implements a security
policy between networks Our focus is between the Internet and
an organization's network You need to limit access, especially
from the Internet to your internal computers Restrict access to Web servers, e-mail
servers, and other related servers
![Page 19: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/19.jpg)
Types of Filtering Packet filtering
Looks at each individual packet Based on rules, it determines whether to let it pass
through the firewall Circuit-level filtering (stateful or dynamic
filtering) Controls complete communication session, not just
individual packets Allows traffic initialized from within the organization
to return, yet restricts traffic initialized from outside Application-level
Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mail
![Page 20: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/20.jpg)
A Packet-filtering Firewall Consists of a list of acceptance and
denial rules A firewall independently filters what
comes in and what goes out It is best to start with a default policy
that denies all traffic, in and out We can reject or drop a failed packet
Drop – (best) thrown away without response Reject – ICMP message sent in response
![Page 21: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/21.jpg)
Using a Proxy Server A proxy server delivers content on behalf of a
user or server application Proxy servers need to understand the protocol of
the application that they proxy such as HTTP or FTP
Forward proxy servers isolate users from the Internet
Users contact proxy server which gets Web page Reverse proxy servers isolate Web server
environment from the Internet When a Web page is requested from the Internet, the
proxy server retrieves the page from the internal server
![Page 22: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/22.jpg)
Using Intrusion Detection Software
Intrusion detection is designed to show you that your defenses have been penetrated
With Microsoft ISA Server, it only detects specific types of intrusion
In Linux, Tripwire tracks changes to files
![Page 23: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/23.jpg)
Tripwire Tripwire allows you to set policies that
allow you to monitor any changes to the files on the system
Tripwire can detect file additions, file deletions, and changes to existing files
By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change
![Page 24: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/24.jpg)
Tripwire After installing Tripwire, you configure
the policy file to determine which files to monitor
A default list of files is included but it will take time to refine the list
A report can be produced to find out which files have been added, changed, and deleted Usually, it runs automatically at night
![Page 25: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/25.jpg)
Intrusion Detection in ISA Server The following intrusions are tracked Windows out-of-band (WinNuke)–A specific type of Denial-
of-Service attack Land–A spoofed packet is sent with the SYN flag set so that
the source address is the same as the destination address, which is the address of the server. The server can then try to connect to itself and crash.
Ping of death –The server receives ICMP packets that include large files attachments, which can cause a server to crash.
IP half scan –If a remote computer attempts to connect to a port by sending a packet with the SYN flag set and the port is not available, the RST flag is set on the return packet. When the remote computer does not respond to the RST flag, this is called an IP half scan. In normal situations, the TCP connection is closed with a packet containing a FIN flag.
UDP bomb –A UDP packet with an illegal configuration. Port scan –You determine the threshold for the number of
ports that are scanned (checked) before an alert is issued.
![Page 26: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/26.jpg)
Summary Every computer connected to the Internet
represents a potential target for attack Hackers can gather data and modify
systems SSL can secure data transmission Keep each server to a single purpose such
as Web server or e-mail Keep applications and services to a
minimum
![Page 27: @ Securing the Web Environment](https://reader033.vdocuments.us/reader033/viewer/2022061217/54b3c80c4a795991608b45db/html5/thumbnails/27.jpg)
Summary User authentication controls access to
one or more Web server directories Firewalls control access policies
between networks A proxy server delivers content on
behalf of a user or server application Intrusion detection software identifies
intrusions but typically does not prevent them