Plan the configuration and deployment of Web server
Identify functions of Web server.
Identify information categories that will be stored, processed and transmitted through the Web server.
Identify security requirements of information.
identify how information is published to the Web server.
Identify a dedicated host to run Web server.
Identify network services that will be provided and supported by the Web server.
Identify users and categories of users of the Web server and determine privilege for each category of user.
Identify user authentication methods for Web server.
Choose appropriate operating system for Web server
Minimal exposure to vulnerabilities.
Ability to restrict administrative or root level activities to authorized users only.
Ability to deny access to information on the server other than that intended to be available.
Ability to disable unnecessary network services that may be built into the operating system or server software.
Ability to control access to various forms of executable programs, such as Computer Gateway Interface (CGI) scripts and server plug-ins in the case of Web servers.
Availability of experienced staff to install, configure, secure, and maintain operating system.
Patch and upgrade operating system
Identify and install all necessary patches and upgrades to the operating system.
Identify and install all necessary patches and upgrades to applications and services included with the operating system.
Remove or disable unnecessary services and applications
Disable or remove unnecessary services and applications.
Configure the operating system user authentication
Remove or disable unneeded default accounts and groups.
Disable noninteractive accounts.
Create the user groups for the particular computer.
Create the user accounts for the particular computer.
Check the organization’s password policy, and set account passwords appropriately (e.g., length, complexity).
Configure computers to deny login after a small number of failed attempts.
Install and configure other security mechanisms to strengthen authentication.
Test the security of the operating system
Test operating system after initial install to determine vulnerabilities.
Test operating system frequently to determine new vulnerabilities.
Securely Installing and Configuring the Web Server
Securely installing the Web server
Install the server software on a dedicated host.
Install minimal Internet services required.
Apply any patches or upgrades to correct for known vulnerabilities.
Create a dedicated physical disk or logical partition (separate from operating system and server application) for Web content.
Remove or disable all services installed by the Web server application but not required (e.g., gopher, FTP, and remote administration).
Remove all sample documents, scripts, and executable code.
Remove all vendor documentation from server.
Apply appropriate security template or hardening script to server.
Reconfigure HTTP service banner (and others as required) NOT to report Web server and operating system type and version.
Configuring Web server host operating system access controls
Configured so that Web content files can be read but not written by web service processes.
Configured so that Web service processes cannot write the directories where public Web content is stored.
Configured so that only processes authorized for Web server administration can write Web content files.
Configured so that Web application can write Web server log files, but log files cannot be read by the Web server application.
Configured so that temporary files created by Web server application are restricted to a specified and appropriately protected subdirectory.
Configured so that access to any temporary files created by Web server application is limited to the Web service process(es) that created these files.
Installed with Web content on a different hard drive or logical partition than the operating system and Web application.
Configured so that if uploads are allowed to the Web server, a limit is placed on the amount of hard drive space that is dedicated for this purpose.
Configured so that log files are stored in a location that is sized appropriately.
Configuring a secure Web content directory
Dedicate a single hard drive or logical partition for Web content and establish related subdirectories exclusively for Web server content files, including graphics but excluding scripts and other programs.
Define a single directory exclusively for all external scripts or programs executed as part of Web server content (e.g., CGI, ASP).
Disable the execution of scripts that are not exclusively under the control of administrative accounts. This action is accomplished by creating and controlling access to a separate directory intended to contain authorized scripts.
Create the user groups for the computer.
Disable the use of hard or symbolic links (aka, shortcuts for Windows).
Define a complete Web content access matrix. Identify which folders and files within the Web server document are restricted and which are accessible (and by whom).
Check the organization’s password policy, and set account passwords appropriately (e.g., length, complexity).
Use robots.txt file if appropriate.
Using file integrity checkers
Install a file integrity check to protect Web server configuration files, password files and Web content.
Update file integrity checksums whenever an upgrade or content changed occurs.
Store checksum on protected write once media.
Regularly compare checksums.
Securing Web Content
Ensure that none of the following types of information are available on or via a public Web server
Classified records.
Internal personnel rules and procedures.
Sensitive or proprietary information.
Personal information about an organization's personnel.
Telephone numbers, e-mail addresses, or general listings of staff unless necessary to fulfill organizational requirements.
Schedules of organizational principals or their exact location (whether on or off the premises).
Information on the composition, preparation, or optimal use of hazardous materials or toxins.
Sensitive information relating to homeland security Investigative records.
Financial records (beyond those already publicly available).
Organization's physical and information security procedures.
Information about organization's network and information system infrastructure.
Information that specifies or implies physical security vulnerabilities.
Plans, maps, diagrams, aerial photographs, and architectural plans of organizational building, properties, or installations.
Copyrighted material without the written permission of the owner.
Privacy or security policies that indicate the types of security measures in place to the degree that they may be useful to an attacker.
Establish an organizational-wide documented formal policy and process for approving public Web content
Identifies information that should be published on the Web.
Identifies target audience.
Identifies possible negative ramifications of publishing the information.
Identifies who should be responsible for creating, publishing, and maintaining this particular information Provides guidelines on styles and formats appropriate for Web publishing.
Provides for appropriate review the information for sensitivity and distribution/release controls (including the sensitivity of the information in aggregate).
Determines the appropriate access and security controls.
Provides guidance on the information contained within the source code of the Web content.
Web user privacy considerations
Published privacy policy.
Prohibition the collection of personally identifying data without the explicit permission of the user.
Prohibition on the use of "persistent" cookies.
Use of session cookie, if used, is clearly identified in published privacy policy.
Client side active content security considerations
Used only when absolutely required.
No actions taken without express permissions of user.
No use of high risk client side active content.
When possible alternatives are provided (e.g., plain text provided along with PDF).
Server side active content security considerations
Simple easy to understand code.
Limited or no reading or writing of files.
Limited or no interaction with other programs (e.g., sendmail).
No requirement to run with suid privileges.
Use of explicit path names (i.e., does not rely on path variable).
No directories have both write and execute permissions.
All executable files are placed in a dedicated folders.
SSIs are disabled or execute function is disabled.
All user input is validated.
Dynamically created pages do not create dangerous metacharacters.
Character set encoding should be explicitly set in each page.
User data should be scanned for byte sequences that mean special characters for the given encoding scheme.
Cookies should be examined for any special characters.
Encryption mechanism is used to encrypt passwords entered through scripts forms.
For Web applications that are restricted by username and password, none of the Web pages in the application should be accessible without going through the appropriate login process.
All sample scripts are removed.
No third-party scripts or executable code are used without verifying the source code.
Wireless LAN Security
Develop an agency security policy that addresses the use of wireless technology, including 802.11.
Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology.
Perform a risk assessment to understand the value of the assets in the agency that need protection.
Ensure that the client NIC and AP support firmware upgrade so that security patches may be deployed as they become available (prior to purchase).
Perform comprehensive security assessments at regular and random intervals (including validating that rogue APs do not exist in the 802.11 WLAN) to fully understand the wireless network security posture.
Ensure that external boundary protection is in place around the perimeter of the building or buildings of the agency.
Deploy physical access controls to the building and other secure areas (e.g., photo ID, card badge readers).
Complete a site survey to measure and establish the AP coverage for the agency.
Take a complete inventory of all APs and 802.11 wireless devices.
Ensure that wireless networks are not used until they comply with the agency's security policy.
Locate APs on the interior of buildings instead of near exterior walls and windows as appropriate.
Place APs in secured areas to prevent unauthorized physical access and user manipulation.
Technical Recommendations
Empirically test AP range boundaries to determine the precise extent of the wireless coverage.
Make sure that APs are turned off during when they are not used (e.g., after hours and on weekends).
Make sure that the reset function on APs is being used only when needed and is only invoked by an authorized group of people.
Restore the APs to the latest security settings when the reset functions are used.
Change the default SSID in the APs.
Disable the broadcast SSID feature so that the client SSID must match that of the AP.
Validate that the SSID character string does not reflect the agency's name (division, department, street, etc.) or products.
Ensure that AP channels are at least five channels different from any other nearby wireless networks to prevent interference.
Understand and make sure that all default parameters are changed.
Disable all insecure and nonessential management protocols on the APs.
Enable all security features of the WLAN product, including the cryptographic authentication and WEP privacy feature.
Ensure that encryption key sizes are at least 128-bits or as large as possible.
Make sure that default shared keys are periodically replaced by more secure unique keys.
Install a properly configured firewall between the wired infrastructure and the wireless network (AP or hub to APs).
Install antivirus software on all wireless clients.
Install personal firewall software on all wireless clients.
Disable file sharing on wireless clients (especially in untrusted environments).
Deploy MAC access control lists.
Consider installation of Layer 2 switches in lieu of hubs for AP connectivity.
Deploy IPsec-based Virtual Private Network (VPN) technology for wireless communications.
Ensure that encryption being used is sufficient given the sensitivity of the data on the network and the processor speeds of the computers.
Fully test and deploy software patches and upgrades on a regular basis.
Ensure that all APs have strong administrative passwords.
Ensure that all passwords are being changed regularly.
Deploy user authentication such as biometrics, smart cards, two-factor authentication, and PKI.
Ensure that the "ad hoc mode" for 802.11 has been disabled unless the environment is such that the risk is tolerable. Note: some products do not allow disabling this feature; use with caution or use different vendor.
Use static IP addressing on the network.
Disable DHCP.
Enable user authentication mechanisms for the management interfaces of the AP.
Make it longer, using upper and lower case, with numbers and special characters. Don't forget spaces and punctuation points can frequently be used to make more memorable, but still secure, pass phrases.
Set up a firewall. Even if you just use dial-up or DSL you are fully exposed to the internet.
This is your primary defense and protects against outside attacks by screening and blocking all traffic between your network and the Internet that is not allowed. The firewall also hides computer addresses. Firewall hardware connects between the cable/ DSL modem and your computers. Windows operating systems have great built-in firewalls.
Almost half of all companies surveyed spend less than 2% of their IT budget on security.
And of that figure, 40% spent less than 1% citing the engagement of senior management as a significant obstacle.
Frozen Explorer session?
If your explorer session has stopped responding, hit CTRL+SHFT+ESC to bring up taskmanager. On the processes tab, look for explorer.exe in the Image Name column and hit the End Process button. Your windows session will now seem to disappear. It can be restarted in taskmanager by going to File>New Task (Run) and typing explorer.exe.
Many security initiatives fail to have longevity.
Because they are not presented to senior management as a business need they lack the authority to be prioritized.
