APP.3.2 Web Servers
A web server is the core component of every web offering; it receives requests from clients and returns the corresponding content. Data is typically transported using the Hypertext Transfer Protocol (HTTP) or its TLS-encrypted variant HTTP Secure (HTTPS)...
Description
Introduction
A web server is the core component of every web offering; it receives requests from clients and returns the corresponding content. Data is typically transported using the Hypertext Transfer Protocol (HTTP) or its version encrypted with Transport Layer Security (TLS), HTTP Secure (HTTPS). Since web servers offer a simple interface between server applications and clients, they are also frequently used for internal information and applications in institution networks, such as the intranet.
Web servers are generally directly accessible on the internet and thus present an exposed attack surface. They must therefore be secured by appropriate protective measures.
Objective
The objective of this building block is the protection of the web server and the information provided or processed by it.
Scope and Modeling
The building block must be applied to all web servers in the information domain.
The designation “web server” is used both for the software that answers HTTP requests and for the IT systems on which this software runs. This building block primarily focuses on the web server software. Security aspects of the IT system on which the web server software is installed are addressed in the building block SYS.1.1 General Server and the respective operating system-specific building blocks.
Recommendations on how to integrate web servers into the network architecture and secure them with firewalls can be found in the building blocks NET.1.1 Network Architecture and Design and NET.3.2 Firewall.
The building block addresses fundamental aspects important for the provision of web content. Dynamic content provided by web applications is not the subject of the present building block. These are addressed in the building block APP.3.1 Web Applications and Web Services. Web services are likewise not considered here.
Web browsers are not addressed in this building block. Requirements for these are found in the building block APP.1.2 Web Browsers.
As a rule, connections to web servers are encrypted. The building block CON.1 Cryptography Concept describes how the cryptographic keys needed for this can be securely managed.
If web servers are not operated in-house but are provided via a hosting provider, the building block OPS.2.3 Use of Outsourcing must be observed.
Authentication mechanisms are often used for web servers. Supplementary requirements for these are found in the building block ORP.4 Identity and Authorization Management.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used as the basis for describing the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block APP.3.2 Web Servers.
Loss of Reputation
If an attack succeeds in accessing a web server with administrative rights, a manipulated web page can be delivered (defacement). This can damage the institution’s reputation. Similarly, the publication of incorrect information, such as erroneous product descriptions, can cause the institution to suffer reputationally in public. The institution can also be issued a warning if content that violates statutory provisions is published on its website. Damage can also occur if the website is unavailable and potential customers switch to competitors as a result.
Manipulation of the Web Server
During an attack, unauthorized persons could gain access to a web server and manipulate its files. For example, the configuration of the web server software could be changed, malware could be distributed, or web content could be modified.
Denial of Service (DoS)
DoS attacks can deliberately impair the availability of a web offering, for example by locking individual accounts through failed login attempts.
DDoS (Distributed Denial of Service) attacks can cause a web server to partially or completely fail. The web offering then becomes only very slow or entirely unavailable to clients. For many institutions, such an outage can quickly become business-critical, e.g., for online shops.
Loss of Confidential Data
Many web servers still use outdated cryptographic methods such as RC4 or SSL. Insufficient authentication or unsuitable encryption can result in the communication between clients and web servers being intercepted or manipulated. The same applies to communication between the web server and other servers, such as load balancers.
Violation of Laws or Regulations
There are various regulatory requirements for publishing web content. In addition to the rules of telecommunications and data protection laws, copyright law must also be observed. Violations of these laws can have legal consequences.
Missing or Deficient Error Handling
If errors occur during the operation of a web server, this can affect, for example, its availability. Content may also be displayed incompletely, or security mechanisms may fail. If errors are not handled correctly, both the operation and the protection of the functions and data of a web server can no longer be guaranteed.
Requirements
The following are the specific requirements of the building block APP.3.2 Web Servers. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Fachverantwortliche, Compliance Officer, Central Administration |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many people SHOULD fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
APP.3.2.A1 Secure Configuration of a Web Server (B)
After IT Operations installs a web server, it MUST carry out a secure basic configuration. In particular, it MUST assign the web server process to an account with minimal rights. The web server MUST be run in a sandboxed environment if this is supported by the operating system. If this is not possible, each web server SHOULD be run on its own physical or virtual server.
All unnecessary write permissions MUST be removed from the web server service. Modules and functions of the web server that are not required MUST be disabled.
APP.3.2.A2 Protection of Web Server Files (B)
IT Operations MUST protect all files on the web server, especially scripts and configuration files, so that they cannot be read or changed without authorization.
It MUST be ensured that web applications can only access a defined directory tree (WWW root directory). The web server MUST be configured to only deliver files that are located within the WWW root directory.
IT Operations MUST disable all unused functions that list directory contents. Confidential data MUST be protected against unauthorized access. In particular, IT Operations MUST ensure that confidential files are not located in public directories of the web server. IT Operations MUST regularly check whether confidential files have been stored in public directories.
APP.3.2.A3 Securing File Uploads and Downloads (B)
All files published via the web server MUST be checked for malware beforehand. A maximum size for file uploads MUST be specified. Sufficient storage space MUST be reserved for uploads.
APP.3.2.A4 Logging of Events (B)
The web server MUST log at least the following events:
- successful accesses to resources,
- failed accesses to resources due to insufficient authorization, non-existent resources, and server errors, and
- general error messages.
The log data SHOULD be regularly evaluated.
APP.3.2.A5 Authentication (B)
If clients authenticate against the web server using passwords, these MUST be stored in cryptographically secured form and protected against unauthorized access.
APP.3.2.A6 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.2.A7 Legal Framework Conditions for Web Offerings (B) [Fachverantwortliche, Central Administration, Compliance Officer]
If content is published for third parties or services are offered via the web server, the relevant legal framework conditions MUST be observed. The institution MUST comply with the applicable telecommunications and data protection laws as well as copyright law.
APP.3.2.A11 Encryption via TLS (B)
The web server MUST offer secure encryption via TLS for all connections through untrusted networks (HTTPS). If it is necessary for compatibility reasons to use outdated methods, these SHOULD be restricted to as few cases as possible.
If an HTTPS connection is used, ALL content MUST be delivered via HTTPS. So-called mixed content MUST NOT be used.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
APP.3.2.A8 Planning the Use of a Web Server (S)
The purpose for which the web server is to be used and the content it is to provide SHOULD be planned and documented. The documentation SHOULD also describe the information or services of the web offering and the respective target groups. Appropriate responsible parties SHOULD be designated for the technical operation and the web content.
APP.3.2.A9 Defining a Security Policy for the Web Server (S)
A security policy SHOULD be created that names the required measures and responsibilities. Furthermore, rules SHOULD be established on how information on current security vulnerabilities is obtained. Rules SHOULD also be established on how security measures are implemented and how to proceed in the event of security incidents.
APP.3.2.A10 Selection of an Appropriate Web Host (S)
If the institution does not operate the web server itself but uses services from external companies as part of web hosting, the institution SHOULD pay attention to the following points when selecting a suitable web host:
- The services to be provided SHOULD be contractually regulated. Security aspects SHOULD be recorded in writing within the contract in a Service Level Agreement (SLA).
- The IT systems used SHOULD be regularly checked and maintained by the web host. The web host SHOULD be obliged to respond promptly in the event of technical problems or a compromise of customer systems.
- The web host SHOULD implement basic technical and organizational measures to protect its information domain.
APP.3.2.A12 Appropriate Handling of Errors and Error Messages (S)
Neither the product name nor the version of the web server in use SHOULD be apparent from the HTTP information and the displayed error messages. Error messages SHOULD NOT output details about system information or configurations. IT Operations SHOULD ensure that the web server only outputs general error messages that inform clients that an error has occurred. The error message SHOULD contain a unique identifier that enables IT Operations to trace the error. In the event of unexpected errors, it SHOULD be ensured that the web server does not remain in a state in which it is vulnerable to attacks.
APP.3.2.A13 Access Control for Web Crawlers (S)
Access by web crawlers SHOULD be regulated according to the robots exclusion standard. Content SHOULD be given access protection to protect it from web crawlers that do not comply with this standard.
APP.3.2.A14 Integrity Checks and Protection Against Malware (S)
IT Operations SHOULD regularly check whether the configurations of the web server and the files it provides are still intact and have not been altered by attacks. Files intended for publication SHOULD be regularly checked for malware.
APP.3.2.A16 Penetration Testing and Revision (S)
Web servers SHOULD be regularly checked for security problems. Revisions SHOULD also be carried out regularly. The results SHOULD be documented in a comprehensible manner, adequately protected, and treated confidentially. Deviations SHOULD be investigated. The results SHOULD be presented to the ISO.
APP.3.2.A20 Designation of Contact Persons (S) [Central Administration]
For extensive web offerings, the institution SHOULD designate central contact persons for the web offerings. Processes, procedures, and responsible parties for problems or security incidents SHOULD be named.
The institution SHOULD publish a contact option on its website through which security problems can be reported to the institution. The institution SHOULD define processes for handling external security reports.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered when there is a high protection need. The specific determination takes place in the context of an individual risk analysis.
APP.3.2.A15 Redundancy (H)
Web servers SHOULD be designed with redundancy. The internet connection of the web server and further IT systems, such as the web application server, SHOULD also be designed with redundancy.
APP.3.2.A17 DISCONTINUED (H)
This requirement has been discontinued.
APP.3.2.A18 Protection Against Denial-of-Service Attacks (H)
The web server SHOULD be continuously monitored. Furthermore, measures SHOULD be defined and implemented that prevent or at least mitigate DDoS attacks.
APP.3.2.A19 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
The Federal Office for Information Security has published the following further documents that may be relevant for the operation of web servers:
- Migration to TLS 1.2 - Action Guide
- Secure Web Hosting: Recommendations for Web Hosts
- Securely Providing Web Offerings (ISi-Webserver)
The National Institute of Standards and Technology (NIST) provides guidance on securing public web servers in its document “Guideline on Securing Public Web Servers”.