Hello and welcome to Train Signal you’re watching the web security video of the CompTIA security plus training course in this video we’re going to be taking a look at web server security and specifically how we can actually lock down our web servers to the degree necessary to keep them safe when being deployed as public facing web servers we’re.
Also going to be taking a look at how to build secure web services for our company and that involves more than just putting a server up and loading applications on.
Involves identifying what the highest.
Possible threats are associated with Web Services and then putting some countermeasures in place to make sure that our servers are protected from those particular types of attacks next we’re going to take a look at browsing protocols because our clients and our servers are going to be communicating with each other using various protocols and we need to understand the implication of how each of these protocols.
Work and what the security issues are with.
Each one of them and actually in some cases how certain.
Protocols can be used to enhance our security portfolio and then finally we’re going to take a look at instant messaging and of course it’s an important technology that is.
Web enabled and there’s a lot of companies and even private individuals that use instant messaging in order to enhance their communication capabilities the problem with instant messaging is that it may not be as perfectly secure as a lot.
Of people think it is so what can we do as IT security professionals to address some of the security concerns regarding instant messaging and.
Of course here is the challenge that we face there are several different web server technologies that can be used by a company to provide web services to their internal and their external customers this is just a short list of popular web server applications that you might run into as an IT security professional.
Each of these web server applications that were looking at here require steps to be.
To secure their respective installations it’s not like it’s a one approach fits all kind of a situation you have to know the specifics about.
Each one of these different types of web servers and then apply the proper steps necessary to secure those servers so that they can provide all of.
Customers in the company is expecting them to while at the same time not leaving any open vulnerabilities whether it’s the web server application itself or whether it’s web apps that are installed on top of the web server that may have vulnerabilities as an IT security Pro we need.
To understand those implications and make sure that they’re being properly addressed now while it’s outside the scope of the course objectives for us.
To dive into each one of those web server technologies and identify how to specifically secure each one of them it is within the scope of this particular course to identify some of the general things that we should be doing some of the best practices that we should be applying.
To our web servers to make sure that they’re secure so let’s take a look at how we can actually lock down our web server and you’re going to see that it’s really not all that unlike locking down any other kind of server that we have in our environment we want to make sure that the software that we’ve installed is updated to the most current level and that if there are any patches that need to be applied to plug up any security.
Holes that we apply those patches in a timely manner so again patching the operating system patching the web application and then also patching any of the other apps that are riding on top.
Of that web server is important to make sure that the system is completely secure we want to remove any unused applications again anytime you’ve got software installed and.
Running on a server there is a potential that that software could be used to exploit that server so if it’s not needed get rid of it we also want to make sure that we turn off any unnecessary services or.
In the UNIX world we call them Damon’s right we want to make sure that if they’re.
Not needed they’re shut down again it’s just another way for an attacker to gain access to our valuable systems we want to make sure that we log in audit all of the activity on those systems because they are customer facing in many respects they’re facing the public may be in our DMZ for example we want to make sure that we know who’s gaining access to them and what they’re trying to do so auditing is a very critical part.
Of securing a server and then.
Of course we want to make sure that we perform regular system backups of all of the data that’s being created and generated and maintained by that system as part of an earlier exercise that took place at global.
Man tix the IT security team had identified that servers were not being properly locked down prior to deployment so they put a standard in place that has all of the specific steps that need to be taken to lock servers down before they can actually get on.
To the corporate network so all new servers being deployed whether they’re web servers or not have to go through that particular checklist to make sure that they meet the standards now as.
For servers that were deployed prior to the standard being in place global man –tx we’ll be looking at each of.
The servers in their environment and if they do not meet that lockdown standard.
They will either be reconfigured to be locked down or if they’re old enough and it’s time to retire them they’ll be replaced with new hardware a new configuration and again it will go through that lockdown checklist to make sure that those.
Servers are fully secure now the next step in web server security is giving people access to your box and while.
That may seem contradictory to the concept of security security means two things it means not letting people onto your boxes that shouldn’t have access to that data or those systems and the other half of it is giving people proper levels of access to the systems that they need in order for them to do.
Their job or in the case of.
Your customers in order for them to do business with you so now it’s time for IT security to plan a strategy around how we’re going to let people gain access to our web servers so access control becomes that next point of concern involving web server security so some of the things we want to consider on really critical boxes that have.
Sensitive data on it we want to make sure that we require that users authenticate we have to make sure that they have a valid user name and password we even want to go.
So far as to make sure that encrypted authentication traffic is the way we do business we do not want to.
Allow people to authenticate in clear-text it’s way too easy for anybody on the network to or on the internet even to sniff that packet find out what their.
Login credentials are and then just.
Log in so we want to make sure that we have encrypted authentication traffic and.
Any transmissions of data between the endpoints between the client and the server should also be fully encrypted as well the next thing that you want to do is you want to restrict your user accounts and I like to start off by restricting my anonymous user account which is an account that gets installed.
By default with a lot of the different web servers that are out there and the example I have here for you is microsoft’s iis server an internet information server they have an account that.
They create as soon as you install iis and it’s called i user underscore and then the name of the actual server that is being used that together is the actual anonymous user account you want to make sure that you apply least privileges not just to that account but definitely to that account you want to make sure that that account has least privilege because that’s the account that people will use to just generically browse your website when.
Somebody connects up and is actually browsing your website they’re basically authenticating using that particular account so you want to make sure that it doesn’t have card block privileges on that server you want.
To apply lease privileges to anyone even if you are going to be doing some level of authentication if you’re going to be using say for example windows authentication to make sure that people are who they say they are you want to apply lease privileges to each one of those accounts so they can only do what they’re supposed to you also want to restrict local logon who needs to actually log right on the server itself you may log into the website authenticating.
Onto the website is one thing but being able to log on to the server and gain access to the operating system and the configuration files of the website and all that.
Other stuff that’s on that server is generally limited to the administrators of the box and the web environment and potentially the applications that were installed most other users are not going to have to log on locally.
So limit the number of people that can and then also limit how you use the right and the execute function the right function will allow an end user to modify files on that website and the execute function will allow them to actually run a script or some executable file and depending upon that file it could do some harm so you want to make sure that you limit.
How you apply write and execute privileges to your website another best practice that you want to apply to your web servers is to make your privileged accounts unique anyone that has any level of privilege on that web server should be logging into that web server with a special account that they and only they will use it helps you keep track of who’s been on that box and potentially.
What changes they’ve made but you also want to make sure that those accounts are different than the accounts that they would use.
To log into the normal internal network because if you’ve got a box out on the DMZ that’s exposed to the Internet.
And anybody can potentially hack their way onto that box if they put enough effort onto.
It you don’t want them finding what user accounts and passwords can actually gain them access to the internal network so again make them different than the internal IDs that you use for logging on to your main network and then finally you want to actually secure your directory structures the content of a website is organized into various directories that reside under the web root hierarchy the web root is the top level of.
The permissions that you place on the directories will control what a user or a script can actually do within that website so you want to make sure that you’re applying proper security to the directory structure that represents that website so you’re probably wondering what specific settings what kinds of permissions should we be applying to the.
That are within that web root structure that level of detail falls outside of the course objectives for security plus but at least at this point you’re aware of the fact that there are directory structure security mechanisms permissions that.
You need to put in place to better secure that web server and when you do get out there and you’re actually working on securing a.
Web server you can take a look at which operating system which.
Web server technology which file system capabilities are built into that configuration what your options are what the.
Business requirements are and then you can.
Make the appropriate choices at that time now we’re going to take a look at what we need to do to actually build.
Secure web services so beyond just building a secure server we have to take a look at the bigger picture now and identify the different things we have.
Into consideration when building web services the building of secure web services involves being very keenly aware of the top threats that can compromise a web services environment if you know what the top threats are then you can take.
The proper countermeasures to make sure that your systems are secure from those types of attacks so we’re going to talk about specifically things like unauthorized access parameter manipulation Network eavesdropping message replays and disclosure of configuration data now if.
You take a look at the little graphic that I have below here notice how we have a consumer who wants to gain access to web services and there’s this external firewall that they have to go through now notice the different types of threats that we just mentioned here we have.