Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Policy Guidelines 
Minimum Security Requirements
Employee Guidelines
Computer Protection Agreement
RPM
DOE Notice to Users
Scan Information
System Procedures
Tools & Services
ALERTS
Recent CPP Actions
News & Articles
CPP Intranet
 
  POLICY GUIDELINES  
Web Server Security Expectations  

One of the recent trends in cyber security is additional attacks on web servers. Web servers have become valuable targets for attackers. Attackers use the web servers to host phishing sites and malware. Attackers also desire webserver to boost index rankings on Google and Yahoo for the attackers other phishing and malware sites.

Due to the increase in attacks, the Computer Protection Program would like to clarify the expectations for employees running a web server. Below we outline the expectations at each layer of the web server.

Operating System and Web Server Layer

1. Minimum Security Requirement Are Not Enough

The Minimum Security Requirements are insufficient for web servers, which are exposed to numerous attack vectors. Extra care and caution needs to be paid to web servers, including exceptionally fast patching of OS and service (including web server) vulnerabilities. Strong, restrictive host-based firewalls and host intrusion detection are strongly recommended. Central syslogging is a minimum security requirement.

In addition to these controls, there is a greater expectation that you, the system administrator, will be attentive to the web server. That means actively reviewing logs, understanding new security issues, and checking in on content. Web security vulnerabilities, attacks, and patches come quickly. Running a web server requires diligence in monitoring the cyber environment.

2. Web Servers Software Is Targeted

The web server software itself is a target of attack. Attackers are very proficient at taking advantage of the smallest misconfiguration. It is beyond the scope of this document to describe every configuration, instead we advise you review the configuration and security tips from you web server software provider. Some links are below.

Apache 2.2 Security Tips
Securing Microsoft II6

3. Separate Other Resources From Web Servers

If the web server is successfully attacked, other resources on the server are also put at risk. For example, if you host your web server on the same box where your personal files are stored, you personal files are at a greater risk. In extreme cases we have seen web servers acting as nfs server and NIS servers. CPP advises that you dedicate a web server to the single function of being a web server. Do not run other services, especially those that offer authentication or other security resources, on a web server.

Application Layer

3. Popular packages must be quickly patched

Applications like open source wikis, photo galleries, content management systems, and blogs are a growing vector of attack. They are often attacked within hours of announced vulnerabilities. If you run any of these packages, you must subscribe to the security lists of these products and immediately patch them.

It is important that you understand that the usual leeway provided by LBNL's security defenses is of no use to you in the case of these attacks. These products are typically attacked directly with no prior indication of malicious behavior, and signatures for perimeter protection may not yet be available. It is incumbent on you to patch these applications fast.

4. Custom CGIs must be securely coded

CGIs are applications. They run as the webserver (typically). They are easily and viciously attacked by both humans and automated tools. Writing secure code, attending to all the various attack scenarios from session hijacking to SQL insertion, is a big topic - much too big for this web page. CPP may be able to refer you to additional resources, but at a minimum, minimize the vulnerability by minimizing your use of custom cgis, by using tools like cgi-wrap which minimize the privileges of cgi scripts, and by getting help from experienced people.

Content Layer

5. Content must reflect RPM Policy

The RPM has a lot to say about web sites. You should review it (RPM 9.01 9.02). In particular:

Prohibited Content: Commercial, non-transient incidental use, sexually explicit, gambling, etc.
Page Owner: A page/site owner must be identifiable from the page.
Publishing Rules: Ensure that openly posted content meets the standards of content the University expects, and that no copyrighted material is reproduced in an unacceptable manner.

6. Anonymous and Unauthenticated Posting Should Not Be Allowed

Anonymous and unauthenticated posting, for instance to wikis, blog comments, and other collaborative applications should not be allowed and new accounts should be screened by a human. You can read more about moderating web content by going here.