Email & Web Servers
The term server often refers to the computer hardware, the operating system and applications loaded on the hardware. In this section, we address server applications. Server applications are the software programs loaded over a server's operating system, enabling the server to perform specific functions such as act as a web server or email server.
web servers and email servers are particularly appealing targets of attackers. This is because email and web servers must allow a certain amount of traffic through in order to perform their functions. These "open doors" to traffic can often be exploited. In addition, web and email servers are very complex, and the more complex the code is, the more bugs it will have. It is therefore important that libraries take steps to secure them. Though there are many types of server applications, we will limit this discussion to the two most popular and potentially insecure types of server applications: email and web server applications.
Securing Web Servers
Due to their popularity, we will limit our discussion to the two most commonly used web servers in libraries today: Microsoft's Internet Information Server and Apache web Server.
Securing Microsoft Internet Information Servers
IIS Lockdown Tool - Securing Internet Information Servers (also known as IIS) has been made somewhat simpler because Microsoft provides an "IIS Lockdown Tool." For more information, see IIS Lockdown Tool.
Command Line - In addition to running the IIS Lockdown Tool, you should rename, move, or restrict access to the command line executable cmd.exe. This is because many hackers exploit IIS to run cmd.exe on the server. Renaming it or limiting its use to members of the administrator group removes this vulnerability. See policies for more information.
Default IIS directory - By default IIS installs an "Inetpub" directory. This directory has a number of sample files and other administrative tools files. It is also the default directory for the default website. Many attackers exploit the sample files and scripts that Microsoft so generously provides with its software. While these sample files may help out some users, they are also prime targets for attackers, since they know exactly where these scripts are and what they do. Be sure to remove all unnecessary directories, files and scripts before putting your web server online. You should either remove these sample files or change the directory where the website runs.
Unicode Vulnerability - Finally, if you do not use the IIS Lockdown Tool you should protect against the Unicode vulnerability (also known as the web server folder transversal vulnerability). Unicode is a character coding format for representing characters as integers; Unicode uses 16 bits, unlike ASCII which uses 8 bits. The Unicode vulnerability involves an attacker sending a web server a carefully constructed URL that forces the server to migrate up and out of its home directory on the server and execute code. Windows NT 4.0 and Windows 2000 earlier than Service Pack 2 are vulnerable. A patch is available from Microsoft at Microsoft Security Bulletin (MS00-078). For more on securing IIS servers, see this Microsoft article. For Windows 2000 servers, see Windows 2000 Security Checklist.
Securing Apache Web Servers
Apache web Servers are among the most popular web servers (along with Microsoft's IIS). In order to secure Apache you should:
- Never run Apache as root.
- Ensure only the Apache user has Read access to the web content.
- Protect files and directories from modification by users other than root.
- Protect against access to server files by blocking default access.
- Protect against malicious code in Server Side Includes (SSI) and CGI scripts.
Many of these modifications are made by setting user access permissions. Protecting SSI and scripts are a different matter. CGI scripts can be quite insecure, especially as the script becomes more complex. Furthermore, usually when a CGI or SSI program executes, it runs as the same user who is running the web server-root. However, Apache has a feature, suEXEC, which provides the server with the ability to execute CGI code with different—and more secure—user IDs. For more on securing Apache web Server, see Security Tips for Server Configuration. For more on web Server Security see The World Wide web Security FAQ.
Securing Email Servers
One of the primary threats to email security—and to network security, as well—are mass-mailing worms. An important way to protect an email server is to install email anti-virus software that analyzes attachments. Anti-virus programs on email servers used to create more problems than they solved, but some of the latest releases are much more stable and safe. Once installed, configure the anti-virus software to analyze attachments favored by worms, which includes those with the following extensions: .EXE, .SCR, .PIF, .VBS, and .BAT.
Another threat to email security concerns the inherent ability of SMTP (Simple Mail Transfer Protocol) to relay email messages. When the SMTP protocol was originally created, it was decided that a useful feature would be to allow email servers to relay messages for other servers. In other words, if an email message intended for Server B arrived at Server A, then Server B would forward the message to Server A. Those, however, were the good old days of the Internet. Now this seemingly innocuous feature is used by bulk mailers to send thousands of email messages through an unsuspecting server that has the relay feature turned on. Those email messages, in addition to irritating the recipients of such spam, will often clog the relaying email server to the extent that it creates a denial of service situation.
To protect against being a spam host, the relaying feature must be turned off. Most major email vendors provide a way to do this, although with some (Exchange, for instance) it is not well documented or obvious. Check your vendor's documentation carefully for how to turn mail relaying off.
Next: Fault Tolerance