Q

Best practices and tools for non-MS IIS users

Learn what best practices and tools non-MS IIS users can use in this application security Ask the Expert Q&A.

In a recent tip, you provided best practices for managing a secure Web server. What best practices and tools do you recommend for those who do not use MS IIS?
Most of the best practices I covered in Best practices for managing secure Web server configurations can also be applied to other types of Web servers. For example, all servers should be hardened prior to connecting to the Internet, and a lifecycle management process should be in place to ensure tasks are executed in an orderly and predictable manner and none are forgotten or left incomplete.

If you are looking for a resource to help you through the process of hardening a Unix-based Web server, you can

download the U.S. National Security Agency's free UNIX Security Checklist and Unix Security Technical Implementation Guide, which includes a Linux-specific section. The Center for Internet Security (CIS), also provides free Benchmark and Scoring Tools, which are available for all the major operating systems, the Apache Web server, and Oracle and SQL Server databases. All of which are continually updated as new vulnerabilities are discovered, so they can be used regularly as part of the lifecycle management process to monitor the effectiveness of your configuration.

Another tool that can be used during the design of any Web server environment, and its subsequent management, is ASSET (Automated Security Self-Evaluation Tool), available from NIST (National Institute of Standards and Technology). ASSET automates the completion of the questionnaire contained in NIST's Security Self-Assessment Guide for Information Technology Systems. The results can be used to evaluate the security of a particular system, and assess the status of your security program plan. ASSET is not subject to copyright protection, is in the public domain and can be downloaded free from http://csrc.nist.gov/asset/asset_download.html.

As with any system, patch management will play a key role in keeping your Web server secure. Products like SecureCentral's PatchQuest can automate the distribution and management of security patches, hotfixes and updates across all networks, including those that use operating systems other than Windows. You may also want to try Shavlik's HFNetChkPro for Linux, which uses the same agentless approach to patch management.

Make sure you develop and maintain a list of specific resources for security issues and software updates that work for your system and establish a procedure for monitoring these information sources.

This was first published in February 2006

Dig deeper on Web Server Threats and Countermeasures

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close