ServerSecurity-IssuesandBestPractices.pptx

Server Security – Issues and Best Practices

1

Outline

Intro to Server Security

Need for Server Security

Server Security Fundamentals

Server Security Issues

OWASP Top 10 – A6:2017– Security Misconfiguration

OWASP Top 10 – A10:2017– Insufficient Logging and Monitoring

Attacks against Server Security Mechanisms

Server Security Best Practices

2

Intro to Server Security

3

Intro to Server Security

How does a web application work?

4

Client

Server

Involves servers

Intro to Server Security (contd.)

Server

A server serves as the host for web applications

It refers to the “server” portion of the client-server architecture

It receives the HyperText Transfer Protocol (HTTP) request message from the client machine’s browser

It authenticates the client based on the user-supplied credentials

It authorizes the client’s access to the requested web application after authentication

5

Intro to Server Security (contd.)

Server (continued)

It sends an HTTP response header back to the client machine with the response code 200 for successful requests or the response code 404 for page not found (maybe due to a broken link)

It uses ports to make services available to clients

Common port numbers: 80 for HTTP traffic, 443 for HTTPS traffic, 25 for SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc.

Examples:

Apache HTTP Server, Apache Tomcat, Microsoft IIS, IBM WebSphere, Oracle WebLogic, Red Hat JBoss EAP, etc.

6

Intro to Server Security (contd.)

Server Market Share:

7

Source: Web and Application Servers Market Share Report – Datanyze –

Intro to Server Security (contd.)

What is a Server? – PowerCert Animated Videos

8

Source: PowerCert Animated Videos – What is a Server? –

Intro to Server Security (contd.)

Server security refers to “the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function” ()

Server security involves the following ():

Installing, configuring, and securing the server Operating System (OS)

Installing, configuring, and securing the server software

Employing appropriate network protection mechanisms

Firewalls, packet filtering routers, proxies, etc.

Ensuring that the hosted web applications are securely coded

Employing secure administration and maintenance processes

Patching and upgrading, testing, monitoring of logs, backing up data and OS

Protecting information and data in a careful/systemic manner

Conducting initial/periodic vulnerability scans of server/network infrastructure

9

Intro to Server Security (contd.)

Server security (by technology):

security settings

security settings

security settings

security settings

security settings

Server security (by Operating System)

guide

security guide

Guide

10

Need for Server Security

11

Need for Server Security

As per :

Servers are frequently targeted by attackers because of the value of their data and services

Servers might contain personally identifiable information that could be used to perform identity theft

Most organizations install servers with standard directory names, directory locations, and filenames making it easy for attackers to target those servers

The failure of organizations to fully recognize the amount of expense and skills required to field a secure server often results in overworked employees and insecure systems

12

Need for Server Security (contd.)

As per (continued):

Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use, at the expense of security

The default configuration of the OS often includes guest accounts (with and without passwords), administrator or root level accounts, and accounts associated with local and network services

Because manufacturers are unaware of each organization’s security needs, server administrators need to configure new servers to reflect their organizations’ security requirements and reconfigure them as needed

13

Need for Server Security (contd.)

As per :

Compromised web sites can serve as an entry point for intrusions into many organizations’ internal networks

Organizations can face monetary losses, damage to reputation, or legal action if an intruder successfully violates the confidentiality of their data

Hackers could compromise web server security by:

defacing organizations’ web site or otherwise affecting integrity

executing unauthorized commands on the host OS

launching attacks on external sites from the web server

using the server to deliver attacks against vulnerable clients

using the server to distribute illegally copied software

14

Need for Server Security (contd.)

As per the Vulnerability Statistics Report, the most common infrastructure vulnerabilities include the following server-related issues:

44.70% – SSL / TLS Version & Configuration Issues

29.53% – SMB Security Issues

8.61% – OpenSSH Vulnerabilities & Configuration Issues

6.25% – Windows Remote Desktop Protocol Server MITM

4.15% – Unencrypted Telnet Services

1.69% – Unsupported & Unpatched Server Detection

15

Need for Server Security (contd.)

As per the Vulnerability Statistics Report:

33.33% of all high and critical risk vulnerabilities discovered in 2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems)

7.53% of all high and critical risk vulnerabilities discovered in 2018 related to exposure to CVEs (, ) – Windows Server Message Block (SMB) Remote Code Execution Vulnerability

Systems using Apache and PHP also contributed to the Top 10 due to weak component security and traditional patch management of exposed systems

16

Need for Server Security (contd.)

Hackers are increasingly using servers to cause data breaches ()

17

Server Security Fundamentals

18

Server Security Fundamentals

What is the Apache HTTP Server? – CBT Nuggets

19

Source: CBT Nuggets – What is the Apache HTTP Server? –

Server Security Fundamentals (contd.)

A basic Apache web server architecture includes the following components ():

Modules

Multi-Processing Modules (MPM)

Apache Portable Runtime (APR) Libraries

20

Server Security Fundamentals (contd.)

Apache web server architecture:

Functionality that can be used to do things such as authentication, dynamic content generation, encryption, virus scanning, file compression, email services, file transfer services, etc.

Special module which allows Apache to be configured as a pure process-based server, a pure threaded server, or both

Provides for platform-specific tuning and optimization

21

Source: Apache – Apache HTTP Server Version 2.4 Documentation –

Server Security Fundamentals (contd.)

Apache web server security:

Modular architecture

Allows modules to be enabled or disabled to add and remove web server functionality

Only MPM modules can interact directly with the Operating System

Authentication

Modules can authenticate against plain text files and database files including Oracle, MySQL, PostgreSQL, etc.

E.g. , , , , etc.

22

Source: Apache – Apache HTTP Server Version 2.4 Documentation –

Server Security Fundamentals (contd.)

Apache web server security (continued):

Access Control

The module can restrict access to resources based on IP address or hostname of the client

SSL / TLS

The module provides strong encryption to protect data transmitted between the web server and the client

Proxy

Apache supports both a traditional HTTP proxy and a reverse proxy

Reverse proxy can be used for load balancing

Virtual Hosting Support and Security

23

Source: TLDP.org – Apache Overview HOWTO –

Server Security Fundamentals (contd.)

Apache web server security (continued):

Configuration Settings

Modules come with several directives related to timeouts, resource consumption, request processing, concurrent connections, etc.

Common Gateway Interface (CGI) & Server Side Includes (SSI)

The suEXEC feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs

Logs

The , modules can be used to log everything that happens on the server

24

Source: Apache.org – Apache HTTP Server Documentation Version 2.4 –

Server Security Issues

25

Server Security Issues

As per (pg. 7), server security issues include:

26

Source: NIST SP 800-123 – Guide to General Server Security –

Server Security Issues (contd.)

As per (pg. 17-18), other server security issues include the following:

Misconfiguration or other improper operation of the Web server, which may result, for example, in the disclosure or alteration of proprietary or sensitive information. This information can include items such as:

Assets of the organization

Configuration of the server or network that could be exploited for subsequent attacks

Credentials of the users or administrator(s) of the Web server

Inadequate or unavailable defense mechanisms for the Web server to prevent certain classes of attacks, such as DoS attacks, which disrupt the availability of the Web server and prevent authorized users from accessing the Web site when required

27

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

Server Security Issues (contd.)

Other server security issues include the following (continued):

Vulnerabilities within the Web server that might allow, for example, attackers to compromise the security of the server and other hosts on the organization’s network by taking actions such as the following:

28

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

Server Security Issues (contd.)

OWASP Top 10–A6:2017 – Security Misconfiguration

29

Source: OWASP Top 10 2017 A6 – Security Misconfiguration –

Server Security Issues (contd.)

Common server security vulnerabilities:

30

Source: OWASP Top 10 2017 A6 – Security Misconfiguration –

Server Security Issues (contd.)

OWASP Top 10–A10:2017 – Insufficient Logging & Monitoring

31

Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring –

Server Security Issues (contd.)

Common server security vulnerabilities:

32

Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring –

Server Security Attacks

33

Server Security Attacks

Most common server security attacks:

34

Attack Type Description
Denial of Service (DoS) Attacks may be directed to the server or its supporting network infrastructure, denying or hindering valid users from making use of its services.Attacks may take advantage of the server’s account lockout policy.Attacks may involve uploading many large filesAttacks take advantage of simultaneous network connections.
Malware Malicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the server

Source: NIST SP 800-123 – Guide to General Server Security –

Server Security Attacks (contd.)

Most common server security attacks (continued):

35

Attack Type Description
Man-in-the Middle (MITM) Password information can be intercepted using network sniffers and used by an attacker to masquerade as an authorized user
SYN Flood If the maximum number of open connections (or connections that are half-open—that is, the first part of the TCP handshake was successful) is set to a low number, an attacker can easily consume the available connections with illegitimate requests (often called a SYN flood)

Source: NIST SP 800-123 – Guide to General Server Security –

Server Security Attacks (contd.)

Most common server security attacks (continued):

36

Attack Type Description
Brute Force Attackers try every possible password to attempt to gain access to a user’s account
Command Injection Compromise of sensitive information on backend databases that are used to support a web application
Directory Traversal Unauthorized access including gaining access to files or folders and being able to execute commands and/or install software on the web server
Replay Attack An impostor verifier replays the OTP authenticator output to the verifier and successfully authenticates to the web server (NIST SP 800-63b)

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

Server Security Attacks (contd.)

Replay Attacks – Professor Messer

37

Source: Replay Attacks – CompTIA Security+ Sy0-401: 3.2 –

Server Security Best Practices

38

Server Security Best Practices

Best practices for web server security include :

Planning and managing web servers (pg. 33)

Plan the configuration and deployment of the web server

Choose an appropriate Operating System (OS) for the web server

Choose an appropriate platform for the web server

General purpose OS, Trusted OS, web server appliance, virtualized platform, etc.

Securing the web server OS (pg. 41)

Patch and upgrade the OS

Remove or disable unnecessary services and applications

Configure OS user authentication

Configure resource controls appropriately

Install and configure additional security controls

Test the security of the OS

39

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

Server Security Best Practices (contd.)

Best practices for web server security include :

Securing the web server (pg. 51)

Securely install the web server

Configure IS and web server access controls

Configure a secure web content directory

Securing web content (pg. 70)

Ensure that sensitive information is not available on the web server

Establish an organizational-wide documented formal policy and process for approving public web content

Maintain Web user privacy

Mitigate indirect attacks on content

Consider client-side active content security

Maintain server-side active content security

40

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

Server Security Best Practices (contd.)

Best practices for web server security include :

Using authentication and encryption technologies (pg. 86)

Configure web authentication and encryption technologies

Configure SSL / TLS

Protect against brute force attacks

Implementing a secure network infrastructure (pg. 99)

Identify a network location

Assess firewall configuration

Evaluate intrusion detection and prevention systems

Assess network switches

Evaluate load balancers

Evaluate reverse proxies

41

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

Server Security Best Practices (contd.)

Best practices for web server security include :

Administering the web server (pg. 113)

Perform logging

Perform web server backups

Recover from a compromise

Test security

Conduct remote administration and content updates

42

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

Server Security Best Practices (contd.)

Use the following server security best practices to protect against security misconfiguration:

43

Source: OWASP Top 10 2017 A6 – Security Misconfiguration –

Server Security Best Practices (contd.)

Use the following server security best practices to protect against insufficient logging and monitoring:

44

Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring –

Recap

Server security issues continue to be among the OWASP Top 10 list of web application security risks

This is due to weaknesses in server technologies such as authentication, access controls, configuration, connections, encryption, active content, logs, etc.

Hackers are able to exploit the weaknesses using attacks such as DoS, malware, MITM, SYN flood, brute force, command injection, directory traversal, replay attacks, etc.

Best practices to protect servers include planning and managing web servers, securing the web server OS, securing the web server, securing web content, using authentication and encryption technologies, implementing a secure network infrastructure, administering the web server, etc.

45

Thank you!!!

46