Re: webserver security issues

[krymson () gmail com]

This is an amazingly broad question that entire books are written about: securing web servers.

NIST has docs you might find useful:
Guide on Securing Public Web Servers
http://csrc.nist.gov/publications/nistpubs/index.html

The NSA has a few. While their web section is growing dated, their OS section is nice.
http://www.nsa.gov/snac/


Lastly, here's a few broad areas to keep in mind about securing a web server (this is off the top of my head, so...

1. Application - Whatever applications or sites you are serving up on your web server will need to be secured. 
Sometimes you can do a lot on the other parts of your web server, but if you insist on running an old vulnerable phpBB 
version, you're just going to constantly get owned. 

2. The OS needs to be hardened per standards for your OS version.

3. The network needs to be hardened to protect traffic and other possible network-borne attacks or data pilfering. 
(Typically this is not part of building a web server, per se, but keep it in mind.) This might include what sorts of 
environmental (Active Directory, Database, etc) remote access rights your services run under. Does the application 
connect to your database using an SA account or widespread domain access when it is not necessary?

4. The web server application (typically IIS, Apache, or Tomcat) needs to be hardened. Googling "Apache Security" or 
whatever app you use should help a lot.

5. Who has access to the server and the code? If you have 20 developers all of whom can deploy code to your site 
directly, any one of them may purposely or accidentally be allowed to post bad code. Evaluate the needs and make sure 
process is in place for QA, code review, testing on a development server, maybe a non-developer pushes the code, etc.

6. Lastly, and most importantly, make sure you have a backup strategy. If you make a mistake (and let's face it, we all 
do) and get compromised or lose data, you will want backups of the data. Try to maintain documentation on the server 
and your setup so that you can duplicate your efforts and/or identify where you made the mistake.

There's tons more angles to look at...but maybe some of this will help get you in the right mindset.


<- snip ->
Hii we are in a process of building a webserver for our company and i am giving the task of finding the security issues 
in webserver building , can any of u let me know about the security issues in a webserver,and we have a internet leased 
line of 2mb , getting a new leased line for the webserver is good or upgrading the existing one to 4mb, your quick 
response i highly appreciated.