Page 271 - StudyBook.pdf
P. 271

Communication Security: Web Based Services • Chapter 5  255

                 tocol stack is a must. So far, this book has exposed you to the inner workings of
                 TCP/IP and Internet communications.This chapter looks at Web-based security
                 and topics including server and browser security, exploits,Web technologies such as
                 ActiveX, JavaScript, and CGI, and much more.

                 Web Server Lockdown

                 Web server(s) store all of the Hypertext Markup Language (HTML), Dynamic
                 Hypertext Markup Language (DHTML),ASP, and eXtensible Markup Language
                 (XML) documents, graphics, sounds, and other files that make up Web pages. In
                 some cases, it may also contain other data that a business does not want to share
                 over the Internet. For example, small businesses often have a single physical server
                 that performs all server functions for the organization, including Web services.A
                 dedicated Web server, however, can serve as a pathway into the internal network
                 unless security is properly configured.Thus, it is vital that Web servers be secure.


                 NOTE

                      The most popular types of Web server software include Apache (which
                      can be run on Linux/Unix machines, Windows, and Apple computers),
                      and Microsoft’s Internet Information Services (IIS) (which is built into
                      Windows server products as well as Windows XP and Vista operating sys-
                      tems [OSes]), Zeus Web Server, and Sun Java Web Server. According to
                      Netcraft’s Web Server Survey for December 2006
                      (www.news.netcraft.com/archives/web_server_survey.html), Apache ran
                      on 60.32 percent of Web Servers, IIS ran on 31.04 percent, Sun ran on
                      1.68 percent and Zeus ran on 0.51 percent.




                    Locking down a Web server follows a path that begins in a way that should
                 already be familiar: applying the latest patches and updates from the vendor. Once
                 this task is accomplished, the network administrator should follow the vendor’s rec-
                 ommendations for configuring Web services securely.The following sections discuss
                 typical recommendations made by Web server vendors and security professionals,
                 including:

                      ■  Managing access control
                      ■  Handling directory and data structures

                      ■  Eliminating scripting vulnerabilities


                                                                              www.syngress.com
   266   267   268   269   270   271   272   273   274   275   276