A web servers is one of the most common services to find running on a system today.\u00a0 They serve a wide variety of content types, can be easily configured to serve a limited or broad audience, and are quick to install and configure.\u00a0 Configuring one securely requires a bit more effort, and is the focus of this best practice document.<\/p>\n
Below we’ve provided some specific guidance on problems we often see with the two most common web servers: Apache<\/a>, and Microsoft’s Internet Information Server (IIS)<\/a>.\u00a0\u00a0\u00a0 You are encouraged to look at the documentation available for your web server and learn about its security settings before loading pages and web applications into it.\u00a0 If you have advice for other web server installations, please let us know and we can help you share the information with your colleagues.<\/p>\n * Do not allow the server to serve php include files<\/strong><\/p>\n Most php applications have include files and these files often contain sensitive information like system configuration data and passwords to databases.\u00a0 It is important that people browsing your site via the web server cannot see the contents of these files under any circumstances.\u00a0 Apache can be configured to prevent the sharing of these files by adding the following to your httpd.conf file and restarting the web server:<\/p>\n Remember to test that it works after making the change!<\/p>\n * Do not allow public execution of phpinfo.php files. The phpinfo.php script is sometimes included by web applications or added by web developers to gain more information about the web environment and php configuration that is necessary for debugging.\u00a0 Under the hood, these scripts call a debugging function called phpinfo() that will report a lot of information such as your operating system type and kernel version.\u00a0 It is generally ill advised to give such information out to anyone who asks for it.\u00a0 In order to support your campus web developers you may need to make such scripts available to them, but you can add the following to your httpd.conf file to restrict access to campus users.<\/p>\n Remember to test that it works after making the change!<\/p>\n * Disallow TRACK and TRACE directives<\/strong><\/p>\n The TRACK and TRACE directives can be used by developers to debug certain types of problems on your web server, but odds are that you’ll never ever use them.\u00a0 Attackers, however, may use them against you to gain additional information about your server configuration.\u00a0 It is generally a bad idea to give out more information than you need to, so we advise turning this function off.<\/p>\n For Apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), this has been made easy. Just add the line “TraceEnable off” to your httpd.conf file and restart the server. If you are running an Apache that is older than either of these versions you should upgrade.<\/p>\n Older versions of Apache can achieve similar functionality using rewrite rules by adding the following to the configuration file:<\/p>\n * Weak SSL ciphers<\/strong><\/p>\n The default configuration of Apache’s SSL module allows a wide variety of ciphers that are weaker than necessary for most applications.\u00a0 In general, if you’re using SSL you want the data to be transmitted as securely as possible so allowing weak ciphers only dilutes the security you were hoping to achieve.\u00a0 You can change the ciphers available for use by altering the SSLCipherSuite directive in your httpd.conf or ssl.conf file (depends on your installation).\u00a0 Setting the variable as follows gets rid of ciphers that have less than 128 bits, several export ciphers and some of the weaker Diffie-Hellman ciphers.<\/p>\n Be aware that this may interfere with the ability of some computers sold and operated outside of the US from connecting to your SSL server because there will be no cipher available for them.\u00a0 If that isn’t you audience, however, this should work just fine.<\/p>\n * Disable SSL Versions 2 and 3<\/strong><\/p>\n The SSL version 2 and 3 protocols contains numerous cryptographic flaws that makes it unsafe for use, yet it is still supported by Apache and selected by default by a number of clients that are capable of using something better. It is advised that you force browsers to use TLS Version<\/p>\n 1.2 by removing the support for SSL. This can be done via the configuration file (httpd.conf or ssl.conf depending on your installation) by supplying the SSLProtocol Directive as follows:<\/p>\n * Installing and Securing IIS<\/strong><\/p>\n Microsoft has dedicated a chapter in their Improving Web Application Security: Threats and Countermeasures Guide<\/a> to Securing Your [IIS] Web Server<\/a> that you should review for helpful advice on how to best install and configure your web server for secure operation.<\/p>\n <\/strong>The steps required to secure IIS vary for each version of IIS.\u00a0 The people at Windows Security have put together a guide for installing and securing IIS servers<\/a> that covers the basics for each version of the server.\u00a0 We advise that you take a look through the guide and follow the instructions that are relevant to your environment.<\/p>\n * Disable SSL Versions 2 and 3<\/strong><\/p>\n The SSL Version 2 and 3 protocols contains numerous cryptographic flaws that makes it unsafe for use, yet it is still supported by IIS and selected by default by a number of clients that are capable of using something better.\u00a0 It is advised that you force browsers to use TLS Version 1.2 by removing the support for SSL.\u00a0 Microsoft has provided Knowledge Base Article on Disabling SSL Protocols in IIS<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" A web servers is one of the most common services to find running on a system today.\u00a0 They serve a wide variety of content types, can be easily configured to serve a limited or broad audience, and are quick to install and configure.\u00a0 Configuring one securely requires a bit more effort, and is the focus…<\/p>\n","protected":false},"author":2127,"featured_media":0,"parent":6549,"menu_order":4,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/6555"}],"collection":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/users\/2127"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/comments?post=6555"}],"version-history":[{"count":21,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/6555\/revisions"}],"predecessor-version":[{"id":85897,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/6555\/revisions\/85897"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/6549"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/media?parent=6555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a>Apache Configuration Tricks<\/h3>\n
<Files ~ \"\\.inc(.php)?\">\r\n Order allow,deny\r\n Deny from all\r\n Satisfy All\r\n<\/Files><\/pre>\n
\n<\/strong><\/p>\n<Files ~ \"phpinfo.php$\">\r\n Order allow,deny\r\n Allow from 128.197.\r\n Allow from 168.122.\r\n Allow from 155.41.\r\n Deny from all\r\n Satisfy All\r\n<\/Files><\/pre>\n
# Turn on the rewrite engine\r\nRewriteEngine On\r\nRewriteLog logs\/rewrite-log\r\nRewriteLogLevel 4\r\n# Get rid of track and track\r\nRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)\r\nRewriteRule .* - [F]<\/pre>\nSSLCipherSuite !ADH:!EXP:RSA:HIGH:MEDIUM:!NULL:!LOW<\/pre>\n
SSLProtocol all -SSLv2 -SSLv3<\/pre>\n
<\/a>IIS Configuration Tricks<\/h3>\n