08-08-2012, 12:32 PM
Guidelines on Securing Public Web Servers
web server.pdf (Size: 1.28 MB / Downloads: 24)
Organizations should take steps to ensure that only appropriate content is published on a Web site.
Many agencies lack a Web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access, and what information should not be published to any publicly accessible repository. This is unfortunate because Web sites are often one of the first places that malicious entities search for valuable information. Some generally accepted examples of what should not be published or at least should be carefully examined and reviewed before publication on a public Web site include—
Classified or proprietary information
Information on the composition or preparation of hazardous materials or toxins2
Sensitive information relating to homeland security
Medical records
An organization’s detailed physical and information security safeguards
Details about an organization’s network and information system infrastructure (e.g., address ranges, naming conventions, access numbers)
Information that specifies or implies physical security vulnerabilities
Detailed plans, maps, diagrams, aerial photographs, and architectural drawings of organizational buildings, properties, or installations
Any sensitive information about individuals, such as personally identifiable information (PII), that might be subject to either Federal, state or, in some instances, international privacy laws.3
Introduction
Authority
The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets; but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), “Securing Agency Information Systems,” as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.
This guideline has been prepared for use by Federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright, although attribution is desired.
Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority, nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, the Director of the OMB, or any other Federal official.
Purpose and Scope
The purpose of the Guidelines on Securing Public Web Servers is to recommend security practices for designing, implementing, and operating publicly accessible Web servers, including related network infrastructure issues. Some Federal organizations might need to go beyond these recommendations or adapt them in other ways to meet their unique requirements. While intended as recommendations for Federal departments and agencies, it may be used in the private sector on a voluntary basis.
This document may be used by organizations interested in enhancing security on existing and future Web server systems to reduce the number and frequency of Web-related security incidents. This document presents generic principles that apply to all systems.
This guideline does not cover the following aspects relating to securing a Web server:
Securing other types of network servers
Firewalls and routers used to protect Web servers beyond a basic discussion in Section 8
Security considerations related to Web client (browser) software4
Special considerations for high-traffic Web sites with multiple hosts5
Securing back-end servers that may support the Web server (e.g., database servers, file servers)