You are on page 1of 3

Web-Site Security Template

SECURITY RISK PASS/FAIL


Remove Welcome Banner from web server which could tempt
hackers from being ‘invited’ into your site.
Hard coded passwords should never be in asp/asa files or scripts.
Install latest patches and be proactive!
Disable IP addresses in the HEADER file of your web pages. The
content-location header exposes IP addresses.
Control cookies and applets that show user preferences. Disable by
replacing cookie file or directory with a zero-length file having no
read or write permissions. Or in Unix- delete the cookies file and
replace to a link to /dev/null.
Clear NT Event Log or /var/adm/messages in UNIX
Restrict virtual paths (the .. dot bug) or hex representation (ox2e).
Set appropriate ACL’s on virtual directories
Set ASP -> everyone (x), admin (full control), system (full control)
Use disk quotas to limit the amount of data that can be written to
directories
Be aware of browser differences (: :$DATA in Netscape saves
location to file).
Remove CIF files (PC Anywhere) and setup.log or install.log files
with path/user info.
Limit malformed requests by appending files that could cause a
buffer overflow
Check if a hacker can provide a password change request with an
intentional missing delimiter
If using a PKI, know all your Trusted Root Certificate Authorities
(CA’s)
Remove sample apps like IIS samples, IIS doc, and Data Access
(\MSADC) on production
Limit IDC (internet database connector) and FTP (port 21 control 20
data): areas to break in remotely
Be cautious with server side scripting (stm, shtm, shtml)
Be aware of internet printing (.printer)
Remember that IIS ADMPWD is not removed when you upgrade
IIS4 to IIS5
No interpreters, shells, scripting engineers, or extensible programs
should be in cgi-bin
Remove unnecessary compilers (VB) and interpreters (PERL) if
NOT using CGI scripts
Review Security Best Practices and update internal security policy

Web Server Permissions: content files/directories should be read, not


write. However, the web server should be able to write but not read
the log files. Config files should not be served as web content. No
config files should be in root > redirect using chroot ()
Turn off IP Routing on the application proxy with a single default
route to the screening router.

You might also like