Web-Site Security Template SECURITY RISK
PASS/FAIL
Remove Welcome Banner from web server which could tempt hackers from being ‘invited’ into your site. Hard coded passwords should never be in asp/asa files or scripts. Install latest patches and be proactive! Disable IP addresses in the HEADER file of your web pages. The content-location header exposes IP addresses. Control cookies and applets that show user preferences. Disable by replacing cookie file or directory with a zero-length file having no read or write permissions. Or in Unix- delete the cookies file and replace to a link to /dev/null. Clear NT Event Log or /var/adm/messages in UNIX Restrict virtual paths (the .. dot bug) or hex representation (ox2e). Set appropriate ACL’s on virtual directories Set ASP -> everyone (x), admin (full control), system (full control) Use disk quotas to limit the amount of data that can be written to directories Be aware of browser differences (: :$DATA in Netscape saves location to file). Remove CIF files (PC Anywhere) and setup.log or install.log files with path/user info. Limit malformed requests by appending files that could cause a buffer overflow Check if a hacker can provide a password change request with an intentional missing delimiter If using a PKI, know all your Trusted Root Certificate Authorities (CA’s) Remove sample apps like IIS samples, IIS doc, and Data Access (\MSADC) on production Limit IDC (internet database connector) and FTP (port 21 control 20 data): areas to break in remotely Be cautious with server side scripting (stm, shtm, shtml) Be aware of internet printing (.printer) Remember that IIS ADMPWD is not removed when you upgrade IIS4 to IIS5 No interpreters, shells, scripting engineers, or extensible programs should be in cgi-bin Remove unnecessary compilers (VB) and interpreters (PERL) if NOT using CGI scripts Review Security Best Practices and update internal security policy Web Server Permissions: content files/directories should be read, not write. However, the web server should be able to write but not read the log files. Config files should not be served as web content. No config files should be in root > redirect using chroot () Turn off IP Routing on the application proxy with a single default route to the screening router.