502    Chapter 8 • Infrastructure Security: System Hardening

                 Web pages are stored on servers running Web services software such as
             Microsoft’s Internet Information Server (IIS) or Apache (developed for Linux and
             UNIX servers, but also now available for Windows).Web servers must be accessible
             via the Internet if the public is to be able to access the Web pages. However, this
             accessibility provides a point of entry to Internet “bad guys” who want to get into
             the network, so it is vitally important that Web servers be secured. It’s such a
             tempting target, because in many cases it’s the only part of your network that an
             attacker can access. Protecting a Web server is no small task. Systems attached to the
             Internet before they are fully “hardened” are usually detected and compromised
             within minutes. Malicious crackers are always actively searching for systems to infil-
             trate, making it essential that a Web server is properly locked down before bringing
             it online.
                 First and foremost, administrators must lock down the underlying OS.This pro-
             cess includes applying updates and patches, removing unneeded protocols and ser-
             vices, and properly configuring all native security controls. Second, it is wise to
             place the Web server behind a protective barrier, such as a firewall or a reverse
             proxy.Anything that limits, restricts, filters, or controls traffic into and out of a Web
             server reduces the means by which malicious users can attack the system.Third,
             administrators must lock down the Web server itself.This process actually has
             numerous facets, each of which are important to maintaining a secure Web server.
                 Many Web servers, such as older versions of IIS, use a named user account to
             authenticate anonymous Web visitors.When a Web visitor accesses a Web site using
             this methodology, the Web server automatically logs that user on as the IIS user
             account.
                 The visiting user remains anonymous, but the host server platform uses the IIS
             user account to control access.This account grants system administrator’s granular
             access control on a Web server.
                 These specialized Web user accounts should have their access restricted so they
             cannot log on locally nor access anything outside the Web root.Additionally,
             administrators should be very careful about granting these accounts the ability to
             write to files or execute programs; this should be done only when absolutely nec-
             essary. If other named user accounts are allowed to log on over the Web, it is essen-
             tial that these accounts not be the same user accounts employed to log onto the
             internal network. In other words, if employees log on via the Web using their own
             credentials instead of the anonymous Web user account, administrators should
             create special accounts for those employees to use just for Web logon.
             Authorizations over the Internet should not be considered secure unless strong
             encryption mechanisms are in place to protect them. Secure Sockets Layer (SSL)



          www.syngress.com