__________________________________________________________

The following a set of "Best Practices" for an Internet Webserver, based on my
own experience and advisory J-042 from the U.S. Department of Energy
Computer Incident Advisory Capability (CIAC)

__________________________________________________________

PROBLEM: Public web servers continue to be attractive targets for hackers seeking to embarrass organizations or promote a political agenda. Good security practices can protect your site from the risks such compromises create.
PLATFORM: Any UNIX platform or NT system being used as a web server.
DAMAGE: Damage can be anything from a denial-of-service attack, the placement of pornographic material, the posting of political messages, or the deletion of files or the placement of malicious software.

SOLUTION: Follow known best practices and apply software patches as soon as they are announced by your incident response team or your vendor.


BEST PRACTICES IN MANAGING WORLD WIDE WEB SERVER SECURITY:

  1. Network filtering:
  2. Host based security:
  3. Configuring the Web service/application:
  4. Auditing/logging:
    • Log all user activity and maintain those logs either in an encrypted form on the web server or store them on a separate machine on your Intranet, or write to "write-once" media.
    • Monitor system logs regularly for any suspicious activity.
    • Install some trap macros to watch for attacks on the server (such as the PHF attack).
    • Create macros that run every hour or so that would check the integrity of passwd and other critical files.
    • When the macros detect a change, they should send an e-mail to the system manager, write a message to logs, set off a pager, etc..
  5. Content management:
  6. Intrusion Detection:

BULLETINS PUBLISHED RELATING TO WEB SERVERS:

UNIX Systems

F-11: Unix NCSA httpd Vulnerability http://www.ciac.org/ciac/bulletins/f-11.shtml
H-01: Vulnerabilities in bash http://www.ciac.org/ciac/bulletins/h-01.shtml
I-024: CGI Security Hole in EWS1.1 Vulnerability  http://www.ciac.org/ciac/bulletins/i-024.shtml
I-082: HP-UX Netscape Servers Vulnerability http://www.ciac.org/ciac/bulletins/i-082.shtml
I-040: SGI Netscape Navigator Vulnerabilities http://www.ciac.org/ciac/bulletins/i-040.shtml

Domino 4.6 may allow unauthorized writes to remote server drives and server configuration files. http://www.l0pht.com/advisories/domino2.txt

Excite 1.1 may set encrypted password files world writable. BUGTRAQ Mail Archives: "Security bugs in Excite for Web Servers 1.1" at http://www.netspace.org/cgi-bin/wa?A2=ind9811e&L=bugtraq&F=&S=&P=519

ColdFusion Application Server and unauthorized access to web server data. http://www.excite.com/computers_and_internet/tech_news/zdnet/?article=/news/19990429/1014542.inp

Windows Systems

I-024: CGI Security Hole in EWS1.1 Vulnerability http://www.ciac.org/ciac/bulletins/i-024.shtml
I-025A: Windows NT based Web Servers File Access Vulnerability http://www.ciac.org/ciac/bulletins/i-025a.shtml

Microsoft bulletins can be found under the Microsoft Security Advisor web page at http://www.microsoft.com/security/default.asp The following bulletins appeared in "Current Security Bulletins" and "Security Bulletin Archives":
MS99-013: Solution Available for File Viewers Vulnerability. (May 7, 1999)
MS99-012: MSHTML Update Available for Internet Explorer. (April 21, 1999)
MS99-011: Patch Available for "DHTML Edit" Vulnerability. (April 21, 1999)
MS98-019: Patch Available for IIS "GET" Vulnerability. (December 21, 1998)
MS98-016: Update available for "Dotless IP Address" Issue in Microsoft Internet Explorer 4. (October 23, 1998)
MS98-011: Update Available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4.0. (August 17, 1998)
MS98-004: Unauthorized ODBC Data Access with Remote Data Services and Inernet Information Systems. (July 15, 1998)

"ISAPI Extension vulnerability allows to execute code as SYSTEM" at: http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9903&L= ntbugtraq&F=P&S=&P=2439

Internet Explorer 5.0 cached passwords can be reused by another user. http://www.zdnet.com/zdnn/stories/news/0,4586,1014586,00.html http://www.zdnet.com/anchordesk/story/story_3351.html

Internet Explorer (3.01, 3.02, 4.0, 4.01) may allow frame spoofing to trick the user Microsoft Knowledgebase Article ID: Q167614: "Update Available For "Frame Spoof" Security Issue" http://support.microsoft.com/support/kb/articles/q167/6/14.asp

Systems running NCSA HTTPD and Apache HTTPD

G-17: Vulnerabilities in Sample HTTPD CGIs http://ciac.llnl.gov/ciac/bulletins/g-17.shtml
G-20: Vulnerability in NCSA and Apache httpd Servers http://www.ciac.org/ciac/bulletins/g-20.shtml

Apache denial-of-service attack -- Apache httpd (1.2.x, 1.3b3) http://www.netspace.org/cgi-bin/wa?A1=ind9712e&L=bugtraq#2 http://www.apache.org/dist/patches/apply_to_1.2.4/

no2slash-loop-fix.patch http://www.apache.org/dist/patches/apply_to_1.3b3/
no2slash-loop-fix.patch "HTTP REQUEST_METHOD flaw" http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=8530

Systems running Netscape Navigator

H-76: Netscape Navigator Security Vulnerability http://www.ciac.org/ciac/bulletins/h-76.shtml
I-082: HP-UX Netscape Servers Vulnerability http://www.ciac.org/ciac/bulletins/i-082.shtml
I-040: SGI Netscape Navigator Vulnerabilities http://www.ciac.org/ciac/bulletins/i-040.shtml

"Reading local files with Netscape Communicator 4.5" at http://www.geocities.com/ResearchTriangle/1711/b6.html

Netscape Navigator may allow frame spoofing to trick the user Netscape Security Update: "The Frame-Spoofing Vulnerability" http://home.netscape.com/products/security/resources/bugs/framespoofing.html

System running cgi-bin routines

I-013: Count.cgi Buffer Overrun Vulnerability  http://www.ciac.org/ciac/bulletins/i-013.shtml
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages   http://www.ciac.org/ciac/bulletins/i-014.shtml

IRIX webdist.cgi, handler and wrap programs ftp://sgigate.sgi.com/security/19970501-02-PX ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist

"Nlog 1.1b released - security holes fixed" http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=10302 http://owned.comotion.org/~spinux/index.html

Other useful documents

IF YOUR WEB SITE HAS BEEN HACKED

CIAC recommends the following as you check your web servers:

1. Apply ALL security-related patches for the web server software as well as for the underlying Operating System.
2. Remove ALL unnecessary files such as phf from the scripts directory /cgi-bin. Remove the "default" document trees that are shipped with Web servers such as IIS and ExAir.
3. Validate ALL user accounts on the web server and ensure that they have strong passwords.
4. Validate ALL services and open ports on the web server to ensure there are no Trojanned services.
5. Look for suspicious files in the /dev, /etc, and /tmp directories.
______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide.

Previous CIAC notices, anti-virus software, and other information are  available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) 


Other references

Microsoft IIS 5.0:  "Secure Internet Information Services 5 Checklist" includes a few tweaks to the underlying Windows 2000 OS. www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=178&TB=news