Web Server Security

Posted on 2004-10-21
Medium Priority
Last Modified: 2011-10-03
Hello experts,

I am looking for assistance dealing with hacking web servers.  I administer a web server and our on-site security expert showed me a list of items he was able to gain access to on my server.  However, he would not tell me what tool he used to hack into my server.  

My concern is this, if he can hack into the server so can anyone else - is there a list of do's and don'ts for web server security.  

I am running a domino server configuration with Sametime running on top of it.  I am also fairly new at web servers and am learning that there is more to securing databases than ACL's.  If anyone can assist with specific information or publications (i.e. ebooks preferred!) I am willing to consider upping the point value.

Thanks in advance.
Question by:clkm84
  • 3
  • 2
  • 2
  • +1

Accepted Solution

Scorp888 earned 400 total points
ID: 12372828
One of the best tools is NESSUS


You can also use nmap.

The key to securing any machine is to start secure.

It's no good having secure apps, and a secure web server, if your base os is wide open.

Look at the base OS you are running; I'd assume you are very familiar with it? If not, get help from someone who is, or ask other specific questions on how to secure it.

But basically, turn off all non-essiential servivces.
Apply the latest security patches. Don't run telnet and ftp, run ssh and scp/sftp.

Then look at best practise for domino, and sametime. Which will be 2 different approches.

You basically need to tie down both until they break, then wind back a small bit.

Author Comment

ID: 12373437
Thank you - after posting this I discovered more options available on the domino server side and implemented more security in that respect.  

Thank you for the web link to the nessus site - The tasks running on the server have already been tightened (running Windows Server 2003 OS).  

I appreciate your guidance and quick response - as for best practices - there is a ton of information for domino server and due to its' abilities there is a lot of information to sift through.  Sametime info will refer you back to the domino best practices since Sametime is running on top of the domino.  

Expert Comment

ID: 12376368
Fisrt off if your security expert will not tell you what tools he used I would concider another expert.
Second get gfi-languard nessus or n-stalker are all good programs.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

LVL 51

Assisted Solution

ahoffmann earned 400 total points
ID: 12378108
>  is there a list of do's and don'ts for web server security.  
as said before, the most critical part are the applications runniing within your webserver. In particular anything generating dynamic content is probably vulnerable to gain access to your webserver. That could be from simple SSI, CGI called by the server, embeded functionality (lPHP, FastCGI, etc.) to fat application servers.

If all these applicationes are developed with security in mind, and your server is fully patched, the chances are good that hacking gets complicated.

For the applications the most important thing is:
   don't trust any input (neither from browser nor any backend databse), until you verified and sanitized yourself
   All input is evil until sanitized. Dot.

Unfortunatelly there is not much software arround to check and/or secure your server. They are either $$$$ or more or less improper for testing web applications (including nessus, sorry)-:

If you're interested in more details, just let me know. But then you need to provide more details about your platform, and if you want to (penetration) test your application, or permanently secure your web server.

Assisted Solution

ecrit earned 400 total points
ID: 12379284
Abhoffman is correct. The least you can do is make sure all your web applications (any software actually) is up to date with the current stable releases and patches. The harder it is for someone to hack the less chances they are going to spend time trying. remember a mojority of your so called hackers only no how to use someone else's hack and don't know how to attempt one originally.

The vulnerbility scanning softare is only a guide line. And that is only if you know what it is you are looking at. Never depend on that stuff alone. I suggest GFI because it gives you a bit more information and is GUI for easier navigation.

If you are really concerned about the security try to find someone that is familular with IDS and IPS and ask them to test your server. You may have to pay a fee for this service and you may not depending on who you know and trust.

Since you stated you have a on site security professional I am assuming you are already taking measures. My only concern with my previous post was it seemed by your posting that all he does is scan the servers and does nothing to fix them. On top of that was not willing to share the information as to how he found these problem. I would ask him some questions

1. Was it an external or internal test?
2. Did he use privliged information not commonly known to a hacker ( Like a escalated account that is not easily known?)
3. What does he suggest to do to fix the problem? ( Since it seems it is not his job to fix but just to inform.)
LVL 51

Expert Comment

ID: 12380288
> ..  your web applications (any software actually) is up to date with the current stable releases and patches.
No, this is not what I meant. It's a precondition for anything else.
I meant that teach application (written in asp, jsp, perl, PHP, whatever) has to do propper sanity checks!

Also keep in mind that "application scanners" are totally different to "network/port scanners". There are some products which use both worlds, like nessus, but for a secure web server you should insist on specialized application scanners (ports 80, 443 only).

Author Comment

ID: 12380667
Thank you all for your responses...  I now have some guidelines to assist me with security policies on my web server.  

Currently, my application is internal only (i.e. intranet) my concern is I've recently been told that it may be going external (internet) to allow access by other users.  

I've decided to up the points to 300 and split them between the 3 of you.

Thanks again for the assistance.

Author Comment

ID: 12380709
This is to increase the points - now I have to figure out how to split them - sorry to be a pain - first time awarding points and trying to split them up.

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Spectre and Meltdown, how it affects me and my clients?
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question