Web servers are computers which serve Web pages over internet. Every Web server has an IP address and a domain name for the website they are serving web pages for. Web pages are made using HTML and HTML pages are transported using the HTTP protocol which is used by web server, serving web pages. Web server use port 80 for HTTP and port 443 for HTTPS. Web Server is a program that serves Web pages to Web browsers using the Hyper Text Transfer Protocol (HTTP).
Some of the Web Server software contain middle-tier software that act as an application server. This enables users to perform high level tasks, such as querying a database and delivering the output through the Web Server to the client browser as an HTML file. Web servers can be commercial where support and development is provided or it open source where support and development is community-based. Commercial examples being Microsoft Internet Information Server (IIS), IBM Websphere and Bea Weblogic and open source examples being Apache webserver , Nginx and Jakarta Tomcat
Web Server Security Need
The need for web server security is similar to need of securing a website and which is due to
- Stealing of confidential information
- Loss of trust amongst customers
- Litigations due to consumer’s data compromise
- Usage of web server by hackers for unwanted reasons like spamming
Web Server Security Measures
Basic measures for web server security usually includes
- Check for presence of security-related features on the web server like types of authentication, levels of access control, support for remote administration and logging features.
- Install only the required features and remove default features not being used.
- Install the latest version of the web server software along with the latest patches.
- Install web server software in a CHROOT cage.
- Remove all sample files, scripts and executable code from the web server root directory.
- Remove all files which are not part of the Web site
- Reconfigure the HTTP Service so that Web server and Operating System type & version are not reported.
- Create a new custom least-privileged user and group for the Web Server process, unique from all other users and groups.
- Although the server may have to run as root or administrator initially to bind to port 80, the server should not run in this mode.
- The configuration files of the Web Server should be readable by Web Server process but not writable.
- Server Side technologies like Java Servlets, ASP, ColdFusion, etc. for dynamic content should be implemented after due consideration depending on strengths and weaknesses along with associated risk.
- Third-party free modules should not be used without proper checking and verification of their functionality and security.
- Configure the Web server to use authentication and encryption technologies (SSL), where required, along with a mechanism to check the latest CRL (certificate revocation list).