Editorial Features | News / Analysis

NIST issues guide to securing Web servers

The National Institute of Standards and Technology (NIST) has released a report that outlines ways in which federal agencies -- and other organizations -- can protect their Web servers from malicious attacks.

The 142-page document, issued by NIST’s Information Technology Laboratory, presents a laundry list of ways in which Web servers (essentially applications that make information available over the Internet) can be vulnerable, including:

• Exploitation of software bugs in the Web server
• Denial of service (DoS) attacks
• Reading or modifying sensitive information on the Web
• Compromising "backend" data through command injection attacks, such as Structured Query Language (SQL) injection; Lightweight Directory Access Control (LDAP) injection; and cross-site scripting (XSS)
• Interception of unencrypted communications
• Web site defacement for malicious purposes
• Using a compromised Web server to attack external entities
• Using a compromised Web server to distribute pornography or illegally copied software

The report outlines ways in which organizations can install, configure and maintain secure public Web servers by following best practices that apply to:

• Underlying operating systems
• Web server software
• Network protection mechanisms, such as firewalls, routers, switches, and intrusion detection and prevention systems
• Maintenance of patches and upgrades
"Web servers are often the most targeted and attacked hosts on organizations’ networks," the NIST report observes. "As a result, it is essential to secure Web servers and the network infrastructure that supports them."

• Print
• E-mail
• Add your comment
• trackback url: http://www.gsnmagazine.com/cms/trackback/103-1