Netscape and Microsoft Web servers provide other
server-side programming features, such as Java and server-side plug-ins. In
general, any server-side programming mechanism has the potential to be
Server-side plug-ins are compiled and integrated with the
Web server software. They allow server-side applications to be developed that
is because they are called directly by the server instead of being run as a
The performance gain of server-side plug-ins is offset by
the difficulty of developing them. Because server-side plug-ins are closely
integrated with the server, any errors in the plug-in could easily result in
the complete failure of the server.
Web Application Access Controls
Most Web servers provide the capability to control access
to certain Web pages and their associated Web applications. These controls may
be based on host name, IP address, user name and password, or other
identification and authentication mechanisms. Failure to implement restrictions
on some applications, such as your server's management software, could lead to
serious security holes.
Operating-system file permissions are closely related to
Web-Application access controls. These permissions determine which Files users
and applications are able to read, write and execute. These controls are
important to protecting your Web site. In Particular, write permission to the
directories containing CGI Programs and server-configuration files should be
limited to the most trusted users. Failure to do so weakens the security of
your Web server, opening it up to a broader spectrum of attacks.
If your server stores financial information, such as credit
card Data, the permissions of these files should be set to prevent them from
being read by other applications. If at all possible, these files should be
In the event that your server is penetrated, the
privileges of your server become those of the penetrator. Therefore, the login
privileges of the Web server itself should be limited to the minimum needed to
perform its function.
Other Server-Side Security Considerations
In addition to the vulnerability mentioned in the previous
articles, Web servers are vulnerable to a wide range of attacks aimed at their
application services and communication protocols. If a Web server supports
other Internet services, such as telnet or FTP, then the server inherits all of
the vulnerabilities of these services. The good news is that you can eliminate
these vulnerabilities by turning off the additional services.
Web server is on the Internet, then it, by definition, must support the
Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is notorious
for its security vulnerabilities. These vulnerabilities include susceptibility
to spoofing, session hijacking, and session monitoring. While these
vulnerabilities are common to all systems that are on the Internet, they need
to be considered when assessing the risk of setting up a Web server. If the
perceived risk is too high, then you may want to implement a firewall or
another network security countermeasure.
As a final consideration, the operating system platform on
which the Web server runs is also a potential source of security
vulnerabilities. In general, multi-user operating systems, such as UNIX, pose a
higher risk than single-user systems, such as the Macintosh and Windows 98. The
security of most multi-user systems depends on the reliability and
trustworthiness of all system users. If a single user is careless or
untrustworthy, then the security of the entire system could be jeopardized.
Most multi-user operating systems provide security controls, such as file
permissions, that prevent a user from viewing or modifying the files of others.
However, to be effective, these controls must be correctly applied.
Although Web servers exist for the Macintosh, Windows 98,
and Windows 95 platforms, most midlevel-to-high-end servers run on Windows NT
and UNIX platforms. This is because Windows NT and Unix provide a fuller set of
operating system services for implementing more complex and capable server
Both Windows NT and Unix' have advantages and
disadvantages as far as security goes. The main advantage of Windows NT is that
it does not support (without additional software purchases) many of the
services, such as Telnet, Internet mail and the X Windows System, that are
provided out of the box with UNIX systems. These services may be used by a
penetrator to gain remote access to a UNIX system. The primary advantage of
UNIX is its maturity. It has been subjected to hacking for many years,
including years before Windows NT was conceived. As a result, most of the UNIX
security bugs have been identified and countermeasures have been implemented.
Under a security-conscious system administrator, a UNIX Web site can be made as
secure as it would be using other operating-System platforms