Skip to end of metadata
Go to start of metadata
Web Server Requirement: OS and Application
One of the recent trends in cyber security is increasing attacks on web servers. Web servers have become valuable targets for attackers. Attackers use the web servers to host phishing sites and malware and to boost index rankings on Google and Yahoo for the attacker's other malicious sites.
SSL Certificate Requirements
SSL certificates serve two important functions. First, they permit communication with a web server to be encrypted. Web servers commonly use encryption to protect private data, such as passwords. Second, SSL certificates allow visitors to validate the website they're communicating with is authentic (and not, for instance, a malicious copy intended to trick visitors into disclosing passwords).
There are two options for SSL certificates: (1) self-signed or (2) certificate authority (CA) signed. Self-signed certificates do not allow the same level of validation and create confusing browser warning messages. We recommend web servers use CA signed certificates. CA signed certificates are cheap and easy to acquire via the process here. Valid CA signed certificates are required for web servers with any of the following characteristics:
- High level of visibility
- Uses institutional credentials, such as Berkeley Lab Identity (LDAP) or Windows Active Directory
- Hosts a business or administrative service used by the broad Lab community
- Production IT Division web servers
Minimum Security Requirement Are Not Enough
The Minimum Security Requirements are insufficient for web servers, which are exposed to numerous attack vectors. Running a web server requires diligence in monitoring the cyber environment. Extra caution needs to be paid to web servers, including exceptionally fast patching of OS and service (including web server) vulnerabilities. Strong, restrictive host-based firewalls are strongly recommended. There is a greater expectation that you, the system administrator, will be attentive to the web server. That means actively reviewing logs, understanding new security issues, and checking in on content. Lastly, the web server software itself is a target of attack. Attackers are very proficient at taking advantage of the smallest misconfiguration. It is beyond the scope of this document to describe every configuration, instead we advise you review the configuration and best practices for your web server software (Apache, IIS, etc).
Separate Other Resources From Web Servers
If the web server is successfully attacked, other resources on the server are also put at risk. For example, if you host your web server on the same box where your personal files are stored, you personal files are at a greater risk. In extreme cases we have seen web servers acting as NFS and NIS servers. CPP advises that you dedicate a web server to the single function of being a web server. Do not run other services, especially those that offer authentication or other security resources, on a web server.
Popular packages must be maintained
Applications like open source wikis, photo galleries, content management systems, and blogs are a growing vector of attack. These are increasingly popular applications because they are easy to setup and feature rich. However, these applications are targeted and attacked within hours of announced vulnerabilities. Some recent examples include Joomla, Drupal, Mediawiki, and struts2 based applications. If you run popular web applications or frameworks, you must subscribe to the security lists of these products and immediately patch them when vulnerabilities are announced.
It is important you understand that the usual leeway provided by LBNL's security defenses is of no use in the case of these attacks. These products are typically attacked directly with no prior indication of malicious behavior, and signatures for perimeter protection may not yet be available. It is incumbent on you to patch these web applications quickly.
Vulnerabilities must be addressed
Several type of web vulnerabilities are used to launch the majority of attacks. The most damaging of these are SQL injection attacks, which can allow an attacker to read, write, or modify the contents of a database through the web application. Cross-site scripting (XSS) can enable particular tricky social engineering attacks. For these reasons, the cyber security team scans web applications for these type of vulnerabilities on a regular basis. If these vulnerabilities are found and not addressed, the web server will be unregistered.
Use caution with custom code
Custom code, such as CGIs, commonly runs as the web server user. These scripts are routinely scanned and attacked by both humans and automated tools. An attacker who finds exploitable scripts or code will use them to attack your underlying data and system. Writing secure code and attending to all the various attack scenarios (like XSS and SQL injection) is a big topic - much too big for this web page. CPP may be able to refer you to additional resources, but at a minimum, limit your use of custom code and get help from experienced people. You can also request a web vulnerability scan of your custom code by contacting firstname.lastname@example.org. This can identify some of the most common vulnerabilities.