Web Server Security

Posted on 2004-10-21
Last Modified: 2011-10-03
Hello experts,

I am looking for assistance dealing with hacking web servers.  I administer a web server and our on-site security expert showed me a list of items he was able to gain access to on my server.  However, he would not tell me what tool he used to hack into my server.  

My concern is this, if he can hack into the server so can anyone else - is there a list of do's and don'ts for web server security.  

I am running a domino server configuration with Sametime running on top of it.  I am also fairly new at web servers and am learning that there is more to securing databases than ACL's.  If anyone can assist with specific information or publications (i.e. ebooks preferred!) I am willing to consider upping the point value.

Thanks in advance.
Question by:clkm84
    LVL 2

    Accepted Solution

    One of the best tools is NESSUS

    You can also use nmap.

    The key to securing any machine is to start secure.

    It's no good having secure apps, and a secure web server, if your base os is wide open.

    Look at the base OS you are running; I'd assume you are very familiar with it? If not, get help from someone who is, or ask other specific questions on how to secure it.

    But basically, turn off all non-essiential servivces.
    Apply the latest security patches. Don't run telnet and ftp, run ssh and scp/sftp.

    Then look at best practise for domino, and sametime. Which will be 2 different approches.

    You basically need to tie down both until they break, then wind back a small bit.

    Author Comment

    Thank you - after posting this I discovered more options available on the domino server side and implemented more security in that respect.  

    Thank you for the web link to the nessus site - The tasks running on the server have already been tightened (running Windows Server 2003 OS).  

    I appreciate your guidance and quick response - as for best practices - there is a ton of information for domino server and due to its' abilities there is a lot of information to sift through.  Sametime info will refer you back to the domino best practices since Sametime is running on top of the domino.  

    Expert Comment

    Fisrt off if your security expert will not tell you what tools he used I would concider another expert.
    Second get gfi-languard nessus or n-stalker are all good programs.
    LVL 51

    Assisted Solution

    >  is there a list of do's and don'ts for web server security.  
    as said before, the most critical part are the applications runniing within your webserver. In particular anything generating dynamic content is probably vulnerable to gain access to your webserver. That could be from simple SSI, CGI called by the server, embeded functionality (lPHP, FastCGI, etc.) to fat application servers.

    If all these applicationes are developed with security in mind, and your server is fully patched, the chances are good that hacking gets complicated.

    For the applications the most important thing is:
       don't trust any input (neither from browser nor any backend databse), until you verified and sanitized yourself
       All input is evil until sanitized. Dot.

    Unfortunatelly there is not much software arround to check and/or secure your server. They are either $$$$ or more or less improper for testing web applications (including nessus, sorry)-:

    If you're interested in more details, just let me know. But then you need to provide more details about your platform, and if you want to (penetration) test your application, or permanently secure your web server.

    Assisted Solution

    Abhoffman is correct. The least you can do is make sure all your web applications (any software actually) is up to date with the current stable releases and patches. The harder it is for someone to hack the less chances they are going to spend time trying. remember a mojority of your so called hackers only no how to use someone else's hack and don't know how to attempt one originally.

    The vulnerbility scanning softare is only a guide line. And that is only if you know what it is you are looking at. Never depend on that stuff alone. I suggest GFI because it gives you a bit more information and is GUI for easier navigation.

    If you are really concerned about the security try to find someone that is familular with IDS and IPS and ask them to test your server. You may have to pay a fee for this service and you may not depending on who you know and trust.

    Since you stated you have a on site security professional I am assuming you are already taking measures. My only concern with my previous post was it seemed by your posting that all he does is scan the servers and does nothing to fix them. On top of that was not willing to share the information as to how he found these problem. I would ask him some questions

    1. Was it an external or internal test?
    2. Did he use privliged information not commonly known to a hacker ( Like a escalated account that is not easily known?)
    3. What does he suggest to do to fix the problem? ( Since it seems it is not his job to fix but just to inform.)
    LVL 51

    Expert Comment

    > ..  your web applications (any software actually) is up to date with the current stable releases and patches.
    No, this is not what I meant. It's a precondition for anything else.
    I meant that teach application (written in asp, jsp, perl, PHP, whatever) has to do propper sanity checks!

    Also keep in mind that "application scanners" are totally different to "network/port scanners". There are some products which use both worlds, like nessus, but for a secure web server you should insist on specialized application scanners (ports 80, 443 only).

    Author Comment

    Thank you all for your responses...  I now have some guidelines to assist me with security policies on my web server.  

    Currently, my application is internal only (i.e. intranet) my concern is I've recently been told that it may be going external (internet) to allow access by other users.  

    I've decided to up the points to 300 and split them between the 3 of you.

    Thanks again for the assistance.

    Author Comment

    This is to increase the points - now I have to figure out how to split them - sorry to be a pain - first time awarding points and trying to split them up.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Learn The Basics of Ethical Hacking & Pen Testing

    Computer and network security is one of the fastest growing and most essential industries in technology, meaning companies will pay big bucks for ethical hackers. This is the perfect course to leap into this lucrative career, learning how to use ethical hacking to reveal ...

    Suggested Solutions

    It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now