Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

Previous Topic/Section
3.5.3.9.2  Databases
Previous Page
Pages in Current Topic/Section
123456
7
8910
Next Page
3.7  Success Questions
Next Topic/Section

3.6  Summary
(Page 7 of 10)

Hardening Web Servers



Web servers are frequently business-critical for both internal use, and for allowing customers and business partners access to some company resources (to allow them to order, check status, share information, etc.) They generally use port 80 (for HTTP) and port 443 (for SSL, or HTTP/S). No matter whose web server software, and what version of it, you use, you are likely vulnerable now, or will be vulnerable in the future, to a web-server-based exploit, so stay on top of updates to the web server software. Some steps you may want to take when hardening a web server include:

  • Ensure that the web server is not running any additional services it does not require, such as FTP (if you don’t use it), databases (which should be on a different machine), etc.

  • Follow vendor-provided and user-community provided guidelines for securely configuring the web server (specific to each type of server).

  • Remove any sample scripts and pages provided by the vendor that you are not using, and for that matter, any other scripts and pages you might have installed that you are no longer using (each is a potential vulnerability, and vendor-provided scripts have OFTEN been the source of exploits).

  • Harden any third-party products you’re using like java server engines, Cold Fusion engines, etc., by referring to vendor-provided and user-community-provided guidelines for securing those products.

  • Follow secure coding principles for software developed in-house or by consultants, to reduce vulnerability to attacks like buffer overflows and SQL injection (users embedding malicious code into form data used to update or query databases).

Consider employing a web-server-specific scanner to probe your server for known exploits, to help ensure that you have locked it down as well as possible.

Hardening Email Servers

Email servers are another tool critical for internal and external communication. For sending and receiving email between other servers, and receiving email from clients, they employ TCP port 25 (SMTP). For allowing clients to check their email boxes and retrieve email for reading on their PC’s, email servers use either port 110 (POP3) or port 143 (IMAP), or both. For a client behind your firewall to retrieve email from an Internet-based mail server, you must open outbound port 110 or 143 on your firewall. For a client outside your firewall to retrieve email from an internal server on your network, you must open inbound port 110 or 143 on your firewall. Like web servers and other common servers, email server software is a known source of many vulnerabilities; few email servers have never fallen victim to a security bug, so keep up to date on vulnerability notices and patches. Make sure that you have closed any “open relays” in your organization.


Previous Topic/Section
3.5.3.9.2  Databases
Previous Page
Pages in Current Topic/Section
123456
7
8910
Next Page
3.7  Success Questions
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.