A web servers is one of the most common services to find running on a system today.  They serve a wide variety of content types, can be easily configured to serve a limited or broad audience, and are quick to install and configure.  Configuring one securely requires a bit more effort, and is the focus of this best practice document.

Below we’ve provided some specific guidance on problems we often see with the two most common web servers: Apache, and Microsoft’s Internet Information Server (IIS).    You are encouraged to look at the documentation available for your web server and learn about its security settings before loading pages and web applications into it.  If you have advice for other web server installations, please let us know and we can help you share the information with your colleagues.

Apache Configuration Tricks

* Do not allow the server to serve php include files

Most php applications have include files and these files often contain sensitive information like system configuration data and passwords to databases.  It is important that people browsing your site via the web server cannot see the contents of these files under any circumstances.  Apache can be configured to prevent the sharing of these files by adding the following to your httpd.conf file and restarting the web server:

<Files ~ "\.inc(.php)?">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>

Remember to test that it works after making the change!

* Do not allow public execution of phpinfo.php files.

The phpinfo.php script is sometimes included by web applications or added by web developers to gain more information about the web environment and php configuration that is necessary for debugging.  Under the hood, these scripts call a debugging function called phpinfo() that will report a lot of information such as your operating system type and kernel version.  It is generally ill advised to give such information out to anyone who asks for it.  In order to support your campus web developers you may need to make such scripts available to them, but you can add the following to your httpd.conf file to restrict access to campus users.

<Files ~ "phpinfo.php$">
  Order allow,deny
  Allow from 128.197.
  Allow from 168.122.
  Allow from 155.41.
  Deny from all
  Satisfy All
</Files>

Remember to test that it works after making the change!

* Disallow TRACK and TRACE directives

The TRACK and TRACE directives can be used by developers to debug certain types of problems on your web server, but odds are that you’ll never ever use them.  Attackers, however, may use them against you to gain additional information about your server configuration.  It is generally a bad idea to give out more information than you need to, so we advise turning this function off.

For Apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), this has been made easy. Just add the line “TraceEnable off” to your httpd.conf file and restart the server. If you are running an Apache that is older than either of these versions you should upgrade.

Older versions of Apache can achieve similar functionality using rewrite rules by adding the following to the configuration file:

# Turn on the rewrite engine
RewriteEngine On
RewriteLog logs/rewrite-log
RewriteLogLevel 4
# Get rid of track and track
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

* Weak SSL ciphers

The default configuration of Apache’s SSL module allows a wide variety of ciphers that are weaker than necessary for most applications.  In general, if you’re using SSL you want the data to be transmitted as securely as possible so allowing weak ciphers only dilutes the security you were hoping to achieve.  You can change the ciphers available for use by altering the SSLCipherSuite directive in your httpd.conf or ssl.conf file (depends on your installation).  Setting the variable as follows gets rid of ciphers that have less than 128 bits, several export ciphers and some of the weaker Diffie-Hellman ciphers.

SSLCipherSuite !ADH:!EXP:RSA:HIGH:MEDIUM:!NULL:!LOW

Be aware that this may interfere with the ability of some computers sold and operated outside of the US from connecting to your SSL server because there will be no cipher available for them.  If that isn’t you audience, however, this should work just fine.

* Disable SSL Version 2

The SSL Version 2 protocol contains numerous cryptographic flaws that makes it unsafe for use, yet it is still supported by Apache and selected by default by a number of clients that are capable of using something better.  It is advised that you force browsers to use SSL Version 3 or TLS Version 1 by removing the support for SSL Version 2.  This can be done via the configuration file (httpd.conf or ssl.conf depending on your installation) by supplying the SSLProtocol Directive as follows:

SSLProtocol all -SSLv2

IIS Configuration Tricks

* Installing and Securing IIS

Microsoft has dedicated a chapter in their Improving Web Application Security: Threats and Countermeasures Guide to Securing Your [IIS] Web Server that you should review for helpful advice on how to best install and configure your web server for secure operation.

The steps required to secure IIS vary for each version of IIS.  The people at Windows Security have put together a guide for installing and securing IIS servers that covers the basics for each version of the server.  We advise that you take a look through the guide and follow the instructions that are relevant to your environment.

* Disable SSL Version 2

The SSL Version 2 protocol contains numerous cryptographic flaws that makes it unsafe for use, yet it is still supported by IIS and selected by default by a number of clients that are capable of using something better.  It is advised that you force browsers to use SSL Version 3 or TLS Version 1 by removing the support for SSL Version 2.  Microsoft has provided Knowledge Base Article on Disabling SSL Protocols in IIS.