Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Web Server Security

Posted on 2004-10-21
8
Medium Priority
?
456 Views
Last Modified: 2011-10-03
Hello experts,

I am looking for assistance dealing with hacking web servers.  I administer a web server and our on-site security expert showed me a list of items he was able to gain access to on my server.  However, he would not tell me what tool he used to hack into my server.  

My concern is this, if he can hack into the server so can anyone else - is there a list of do's and don'ts for web server security.  

I am running a domino server configuration with Sametime running on top of it.  I am also fairly new at web servers and am learning that there is more to securing databases than ACL's.  If anyone can assist with specific information or publications (i.e. ebooks preferred!) I am willing to consider upping the point value.

Thanks in advance.
0
Comment
Question by:clkm84
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Accepted Solution

by:
Scorp888 earned 400 total points
ID: 12372828
One of the best tools is NESSUS

http://www.nessus.org/

You can also use nmap.


The key to securing any machine is to start secure.

It's no good having secure apps, and a secure web server, if your base os is wide open.

Look at the base OS you are running; I'd assume you are very familiar with it? If not, get help from someone who is, or ask other specific questions on how to secure it.

But basically, turn off all non-essiential servivces.
Apply the latest security patches. Don't run telnet and ftp, run ssh and scp/sftp.

Then look at best practise for domino, and sametime. Which will be 2 different approches.

You basically need to tie down both until they break, then wind back a small bit.
0
 

Author Comment

by:clkm84
ID: 12373437
Thank you - after posting this I discovered more options available on the domino server side and implemented more security in that respect.  

Thank you for the web link to the nessus site - The tasks running on the server have already been tightened (running Windows Server 2003 OS).  

I appreciate your guidance and quick response - as for best practices - there is a ton of information for domino server and due to its' abilities there is a lot of information to sift through.  Sametime info will refer you back to the domino best practices since Sametime is running on top of the domino.  
0
 

Expert Comment

by:ecrit
ID: 12376368
Fisrt off if your security expert will not tell you what tools he used I would concider another expert.
Second get gfi-languard nessus or n-stalker are all good programs.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 400 total points
ID: 12378108
>  is there a list of do's and don'ts for web server security.  
as said before, the most critical part are the applications runniing within your webserver. In particular anything generating dynamic content is probably vulnerable to gain access to your webserver. That could be from simple SSI, CGI called by the server, embeded functionality (lPHP, FastCGI, etc.) to fat application servers.

If all these applicationes are developed with security in mind, and your server is fully patched, the chances are good that hacking gets complicated.

For the applications the most important thing is:
   don't trust any input (neither from browser nor any backend databse), until you verified and sanitized yourself
   All input is evil until sanitized. Dot.

Unfortunatelly there is not much software arround to check and/or secure your server. They are either $$$$ or more or less improper for testing web applications (including nessus, sorry)-:

If you're interested in more details, just let me know. But then you need to provide more details about your platform, and if you want to (penetration) test your application, or permanently secure your web server.
0
 

Assisted Solution

by:ecrit
ecrit earned 400 total points
ID: 12379284
Abhoffman is correct. The least you can do is make sure all your web applications (any software actually) is up to date with the current stable releases and patches. The harder it is for someone to hack the less chances they are going to spend time trying. remember a mojority of your so called hackers only no how to use someone else's hack and don't know how to attempt one originally.

The vulnerbility scanning softare is only a guide line. And that is only if you know what it is you are looking at. Never depend on that stuff alone. I suggest GFI because it gives you a bit more information and is GUI for easier navigation.

If you are really concerned about the security try to find someone that is familular with IDS and IPS and ask them to test your server. You may have to pay a fee for this service and you may not depending on who you know and trust.

Since you stated you have a on site security professional I am assuming you are already taking measures. My only concern with my previous post was it seemed by your posting that all he does is scan the servers and does nothing to fix them. On top of that was not willing to share the information as to how he found these problem. I would ask him some questions

1. Was it an external or internal test?
2. Did he use privliged information not commonly known to a hacker ( Like a escalated account that is not easily known?)
3. What does he suggest to do to fix the problem? ( Since it seems it is not his job to fix but just to inform.)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12380288
> ..  your web applications (any software actually) is up to date with the current stable releases and patches.
No, this is not what I meant. It's a precondition for anything else.
I meant that teach application (written in asp, jsp, perl, PHP, whatever) has to do propper sanity checks!

Also keep in mind that "application scanners" are totally different to "network/port scanners". There are some products which use both worlds, like nessus, but for a secure web server you should insist on specialized application scanners (ports 80, 443 only).
0
 

Author Comment

by:clkm84
ID: 12380667
Thank you all for your responses...  I now have some guidelines to assist me with security policies on my web server.  

Currently, my application is internal only (i.e. intranet) my concern is I've recently been told that it may be going external (internet) to allow access by other users.  

I've decided to up the points to 300 and split them between the 3 of you.

Thanks again for the assistance.
0
 

Author Comment

by:clkm84
ID: 12380709
This is to increase the points - now I have to figure out how to split them - sorry to be a pain - first time awarding points and trying to split them up.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question