Draft - Web Server Security Standard

Description

Web servers are typically the most exposed and targeted systems. If they are not properly secured they introduce a significant risk to Lehigh University. The following are the minimum standards which must be maintained for all web servers available on the Internet. Failure to maintain these standards could result in a firewall rule being revoked and the web server only being available to our campus.

Scope

Required for all Lehigh web servers exposed to the Internet. Recommended guidance for web servers on our internal network. This standard is maintained by Lehigh’s System Engineering team.

Security Requirements

The Center for Internet Security (CIS) publishes secure configurations which represent best security practices.

CIS Benchmarks™

NIST SP 800-44 v2 - Guidelines on Securing Public Web Servers

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

Implementation

1. Patch and/or upgrade operating system to maintain the OS in a secure state. Security patches should be applied within 30 days of release.

2. Configure operating system to meet vendor/system best practices

   1. Principle of Least Privilege

      1. Disable all services which are not necessary.

      2. All accounts should have the only required permissions

      3. Remove or disable unnecessary accounts

   2. Change all default passwords and ensure they meet Lehigh password guidelines

   3. OS should be maintained by a qualified administrator. Contact LTS for support options if a local qualified administrator is not available.

3. Lehigh security tools are installed and properly configured. This will include endpoint detection, host firewalls, IDS, and others.

4. Patch and/or upgrade server components which have critical/high security flaws. This includes, but is not limited to Apache, IIS, PHP, NGINX, and others.

5. Configure Web server to meet recommended best practices.

   1. Disable all unnecessary services

   2. Configure to prohibit access to not intended for public distribution. Disallow directory browsing.

   3. Separate web server directories from operating system and application directories

   4. Use secure encryption technologies such as TLS. Should be configured to redirect to https following http strict transport.

      • All web services must be accessible exclusively via HTTPS on port 443. Plain-text HTTP on port 80 should be completely disabled, if feasible. SSL certificates must be maintained to ensure the integrity and confidentiality of data.

      • This can cause problems for users with old bookmarks or who type domain names manually. If this is of concern, HTTP on port 80 may be enabled and must be configured to return a 301 "Permanently Moved" redirect to HTTPS if accessed by clients.

      • Web server responses should include the Strict-Transport-Security header with an appropriately large max-age.

      • e.g. Strict-Transport-Security: max-age=31536000 (where 31536000 seconds is one year)

      • HTTPS must be configured to use TLS 1.2 or 1.3.

      • All versions of SSL, along with TLS 1.0 and TLS 1.1 must not be used.

      • Weak TLS cipher suites should be disabled.

      • A list of cipher suites with security ratings and explanations can be found at https://ciphersuite.info/cs/?security=all&sort=sec-desc&singlepage=true . Prefer algorithms labeled 'Recommended' and 'Secure'.

      • Any cipher suite with the following keywords must be disabled: NULL, anon, EXPORT, RC4, DES, 3DES, MD5

      • Contact security@lehigh.edu if you require assistance with selecting and configuring cipher suites.

   5. Implement firewalls to restrict access to the web server. Only allow traffic to necessary ports (typically 80/http and 443/https).

6. Web server administrators are responsible for ensuring they are receiving, reviewing, and reacting to vulnerability reports monthly. Please contact security@lehigh.edu to schedule vulnerability reports/tickets.

7. Enable logging and connect to Lehigh’s central logging service.

8. System backups - Based on the criticality of a system web content, application configs and operating system should be backed up.

Related

Configuration Standard

Definitions

Exposed to Internet - The term "exposed to the Internet" refers to computer systems, services, or resources on Lehigh’s network that are accessible directly from the Internet, meaning they can be reached, interacted with, or potentially exploited by someone on the Internet without any intermediary systems or layers of security, such as a firewall. When a system or service is "exposed to the Internet," it generally has a public IP address and listens for incoming connections from the outside world.

Revision History