module 2: the web server 1. overview the web server overview of iis overview of apache 2

31
Module 2: The Web Server 1

Upload: lucas-barker

Post on 28-Dec-2015

224 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Module 2:

The Web Server

1

Page 2: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Overview

• The Web Server

• Overview of IIS

• Overview of Apache

2

Page 3: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Web Server Defined

Web server is a computer program that delivers (serves) content such as web pages, using the Hypertext Transfer Protocol (HTTP), over the World Wide Web.

Page 4: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Web Server Market Share

Market Share for Top Servers Across All Domainsas of November 2010 source: netcraft.com

Developer October 2010 Percent November 2010 Percent Change

Apache 135,209,162 58.07% 148,085,963 59.36% 1.29

Microsoft 53,525,841 22.99% 56,637,980 22.70% -0.28

nginx 14,130,907 6.07% 15,058,114 6.04% -0.03

Google 14,971,028 6.43% 14,827,157 5.94% -0.49

lighttpd 1,380,160 0.59% 2,070,300 0.83% 0.24

Page 5: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Web server Common features

• Virtual hosting

• Large file support

• Bandwidth throttling

• Server-side scripting

Page 6: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

7

Internet Information Services (IIS)

• Overview of IIS

• IIS Features

• IIS Authentication

• The .Net Framework

• ASP.Net

Page 7: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

IIS 7 Overview

• Complete redesign and rewrite of IIS,

• Shipped with Windows Vista and Windows Server 2008.

• Includes a new modular design that allows for a lessened attack surface and increased performance.

• Introduces a hierarchical configuration system allowing for simpler site deploys

• New Windows Forms based management application

• New command line management options

• Increased support for the .NET Framework

• IIS 7.0 on Vista does not limit the number of allowed connections as IIS on XP did

8

Page 8: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

IIS Features

IIS 7.5 Supports the following features

•HTTP - Hyper Text Transfer Protocol

•HTTPS - Hyper Text Transfer Protocol Secure

•FTP – File Transfer Protocol

•FTPS – File Transfer Protocol Secure

•SMTP – Simple Mail Transfer Protocol

•NNTP – Network News Transfer Protocol

Page 9: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

IIS Request Processing

10

Page 10: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

IIS Authentication

IIS 5.0 and higher support the following authentication mechanisms:

•Basic access authentication

•Digest access authentication

•Integrated Windows Authentication

•.NET Passport Authentication (not supported in Windows Server 2008 and above)

IIS 7.5 includes the following additional security features:

•Client Certificate Mapping

•IP Security

•Request Filtering

•URL Authorization

15

Page 11: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Introduction to the .Net framework

The .NET Framework is:

•Common Language Runtime – provides an abstraction layer over the operating system

•Base Class Libraries – pre-built code for common low-level programming tasks

•Development frameworks and technologies – reusable, customizable solutions for larger programming tasks

16

Page 12: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Introduction to the .Net Framework cont.

The .NET Framework allows you to:

•Apply common skills across a variety of devices, application types, and programming tasks

•Integrate with other tools and technologies to build the right solution with less work

•Build compelling applications faster

17

Page 13: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Components of the .NET Framework

18

Common Language Runtime

.NET Framework Class Library

ADO.NET ASP.NET User Interfaces

Visual C# Visual Basic Visual J# Visual

C++ JScript ThirdParty

Page 14: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

IIS and ASP.Net

Page 15: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

IIS Versions

Almost every version of IIS was released either along or with a version of Microsoft Windows operating system with the exception of IIS 1.0 which was initially released as a free add-on for Windows NT 3.51.

•IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition

•IIS 7.0, Windows Server 2008 and Windows Vista (Home Premium, Business, Enterprise, Ultimate Editions)

•IIS 7.5, Windows Server 2008 R2 and Windows 7

Page 16: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Common Security Threats in IIS

• IIS is plagued with buffer overflows

• Inability to properly filter requests

Page 17: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

To Fix Common Threats

• You should configure the URL Scan filter to reject maliciously formed HTTP requests

• Change the ISAPI extensions, such as .htr, .idq, .ism, and .printer

• Don’t install samples or remote administrations tools on new installs

• Only installed modules required by your application

Page 18: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Process for Securing Web Sites and Applications

Page 19: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

32

Overview of Apache

Page 20: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Overview of Apache

• Apache HTTP Server, commonly referred to as Apache is web server software

• Played a key role in the initial growth of the World Wide Web

• Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation

Page 21: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Overview of Apache

• Since April 1996 Apache has been the most popular HTTP server software in use

• As of November 2010 Apache served over 59.36% of all websites and over 66% of the million busiest

• The majority of web servers using Apache run a Unix-like operating system

Page 22: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Apache Features

• Apache supports a variety of features, many implemented as compiled modules

• The modular nature allows you to only install and activate needed modules

• The following core modules are required:

Module Description

core Core Apache HTTP Server features that are always available

mod_accessAccess control based on client hostname, IP address, or other characteristics of the client request

mod_auth User authentication using text files

mod_dir Provides for "trailing slash" redirects and serving directory index files

mod_log_config Logging of the requests made to the server

mod_mimeAssociates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)

Page 23: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Virtual hosting

• For example, one machine with one Apache installation could simultaneously serve www.example.com, www.test.com, test47.test-server.test.com, etc.

• Apache features configurable error messages

36

Page 24: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Apache Features

• Some common language interfaces support Perl, Python, Tcl, and PHP

• Popular authentication modules include mod_access, mod_auth, mod_digest, and mod auth_digest, the successor to mod_digest

Page 25: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Apache Web server

Page 26: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Apache System Requirements

• Java 1.4.x or greater.

• ANT 1.6.3 or greater.

• JUnit 3.8.2 if you wish to run the unit tests.

• CPU, Disk and Memory requirements are based on the many choices made in implementing Lucene

Page 27: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Common Security Threats Apache

• Keep up to Date

• Permissions on Server Root Directories

• Server Side Includes

• Protect Server Files by Default

• Watching Your Logs

• Protecting System Settings

Page 28: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Typical Attack Process

Page 29: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Reduce the Attack Surface

Page 30: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

Review

• The Web Server

• Overview of IIS

• Overview of Apache

51

Page 31: Module 2: The Web Server 1. Overview The Web Server Overview of IIS Overview of Apache 2

52