Page 272 - StudyBook.pdf
P. 272

256    Chapter 5 • Communication Security: Web Based Services


                  ■   Logging activity
                  ■   Performing backups
                  ■   Maintaining integrity

                  ■   Finding rogue Web servers
                  ■   Stopping browser exploits




              TEST DAY TIP
                  For the Security+ exam, you will not need to know the step-by-step pro-
                  cess of how to make a Web server secure, but you will be expected to
                  know the technical details of how a Web server can be exploited and
                  the details on how to fix the exploits. For example: making sure that
                  your Web servers are completely patched with updates and hot fixes.





             Managing Access Control

             Many Web servers, such as IIS on Windows OSes, use a named user account to
             authenticate anonymous Web visitors (by default, this account on IIS servers is
             called IUSER_<computername>).When a Web visitor accesses a Web site using this
             methodology, the Web server automatically logs that user on as the IIS user
             account.The visiting user remains anonymous, but the host server platform uses the
             IIS user account to control access.This account grants system administrators gran-
             ular access control on a Web server so that all anonymous users have the same level
             of access, whereas users accessing the services through their own user accounts can
             have different levels of access.
                 These specialized Web user accounts (for anonymous users) must have their
             access restricted so they cannot log on locally nor access anything outside the Web
             root.Additionally, administrators should be very careful about granting these
             accounts the ability to write to files or execute programs; this should be done only
             when absolutely necessary. If other named user accounts are allowed to log on over
             the Web (to give certain users a higher level of access than the anonymous account
             has), it is essential that these accounts not be the same user accounts employed to
             log onto the internal network. In other words, if employees log on via the Web
             using their own credentials instead of the anonymous Web user account, adminis-
             trators should create special accounts for those employees to use just for Web



          www.syngress.com
   267   268   269   270   271   272   273   274   275   276   277