The Security of Web Server Software Programs

As with Web server operating systems, "The more complex the Web server software is, the greater is the chance that something will go wrong." Generally speaking, the more functionality and features that are provided by a Web server, the greater is the likelihood that there are security holes in the software.

Basic Web server software that merely provides access to static files is more secure than sophisticated server software that provides functions such as the execution of CGI scripts, the processing of server-side includes, the handling of scripted errors, and the dynamic listing of directories.

Web server software also differs in the degree of control accorded to browser users. Certain servers allow users access to only certain documents or directories or sub-directories, while some allow full access to everything. Some can be configured to allow access to certain directories according to the IP address of the client machine, or to individuals who know the right password. There are a few Web servers that offer data encryption, a necessity for e-commerce web sites. These are mainly commercial Web servers.

Here is some advice on how to make a Web server more secure:

- By their nature, Web servers have security holes. One of the most common causes of a breach of security is the CGI script. If you cannot get a CGI programming expert to check the scripts' code, at least test the scripts to ensure that they verify the data entered by a browser user before granting access to confidential documents or any services provided by the server's operating system.

- Configure the Web server carefully:-

--- Executable files should be allowed to run only in certain directories that you specify.

--- Source code should not be stored anywhere where it can be downloaded.

--- Automatic directory indexing should be switched off. If you use an external Web hosting company and you cannot switch it off, ensure that all accessible sub-directories contain a default file such as 'index.html' that redirects the browser to the home page.

--- If you do not need them, disable Content Management Systems and other features that allow browser users to edit and manage files on remote servers, such as WebDAV, SMB, SharePoint, etc.

--- Identify potential weak points by utilizing the security tools that come with the server software and the Operating System, such as the Microsoft Internet Information Services (IIS) Lockdown Tool and the URLScan security tool.

- Private and public information should be kept physically well apart. Confidential or sensitive data should not reside on the same machines as publicly accessible Web servers. Intranets should always be protected by a firewall, but extranets can be tricky, if you want to allow certain outsiders to have access to some private data. An extranet Web server should be located outside the firewall. (This is known as a "sacrificial lamb" configuration.) A variation is to set up paired "inner" and "outer" servers. Another possibility is to use a proxy, which intercepts requests and forwards them to the Web server, and then does the same in the reverse direction. Ideally, any publicly accessible Web server should be located on a machine other than that on which the firewall resides.

- A Web server logs all requests. Log files should be checked regularly for any unusual entries, and anything suspicious should be investigated.