Before the system is declared ready for production you should scan it for

Before the system is declared ready for production

This preview shows page 16 - 18 out of 28 pages.

Before the system is declared ready for production, you should scan it for vulnerabilities. Vulnerability scanners can be commercial or freely available, but they must be current. Check the system to confirm that you have turned off all unnecessary services and loaded all necessary patches. This scan will confirm that the system is currently free from vulnerabilities. Scans should be performed on a monthly basis with the latest updates to the scanners to make sure the system still free from vulnerabilities. New vulnerabilities that are found should be fixed immediately. Web Server Configuration The Web server itself is the last component of the server security. Many Web servers are available on the market and the choice of which server to use will depend on the platform chosen and the preferences of the administration and development staffs. As with operating systems, We servers can be configured in a secure manner or an insecure manner. The specific configuration requirements for each particular Web server are beyond the scope of this book, but there are som common configurations that should be made regardless of the Web server. First, the server softwa should be upgraded and patched according to the manufacturer’s recommendations. Never run the Web server as root or administrator. If the Web server is successfully penetrated, the attacker will have privileges on the system the same as those of the Web server. If the Web server is run as root, the attacker will have root privileges. Instead, create a separate user who owns the Web server and run the server from that account. Each Web server requires the administrator to define a server root directory. This directory tells the Web server where to find document files and scripts and also limits the Web server in what files can be accessed via a browser. The Web server root should never be the same as the system root directory, and it should not include configuration and security files that are important to the operating system (see Figure 17-4). Most Web servers come with CGI scripts (CGI is the Common Gateway Interface and is used for creating scripts on a Web server). Some of these default scripts have very serious vulnerabilities that allow attackers to gain access to files or the system itself. Any scripts that come with the Web server that are not being used by the Web site should be removed to prevent an attacker from using them to gain access to the system. P:\010Comp\Begin8\957-8\ch17.vp Friday, May 09, 2003 9:24:55 AM Color profile: Generic CMYK printer profile Composite  Default screen
Image of page 16
Network Security: A Beginner’s Guide 419 Begin8 / Network Security: A Beginner’s Guide / Maiwald / 222957-8 / 17 Blind Folio 17:419 17 E-Commerce Security Needs CGI scripts should not be visible to the public either. This means that the Web server should be configured not to show directory listings if the browser does not specify a file. If the browser does specify a CGI or Perl script, the server should be configured to execute the script rather than display the code. This is normally configured in the httpd.conf file with the lines:
Image of page 17
Image of page 18

You've reached the end of your free preview.

Want to read all 28 pages?

  • Fall '17

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes