Security Training
Security Certification
Cyber Security Graduate School
Internet Storm Center
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software SecuritySANS InfoSec Reading Room - Web Servers
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
Featuring 24 papers as of Jun 19, 2013
Securing Blackboard Learn on Linux- By: David Lyon (posted on December 1, 2011)
- Blackboard Learn (Bb Learn) is an application suite providing educational technology to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and content. Common add-ons include the Community and Content systems which are licensed separately.
- Using Web Application Firewall to detect and block common web application attacks
- By: Issac Kim (posted on November 29, 2011)
- Over the last few years, vulnerabilities in web applications have been the biggest threat in information technology (IT) environment (Modsecurity, 2011). According to the open source vulnerability database (OSVDB), web application threats become almost fifty percent of all vulnerabilities in 2010 (HP DVlabs, 2010).
- A comparative study of attacks against Corporate IIS and Apache Web Servers
- By: Craig Wright (posted on August 29, 2011)
- It has been suggested that Microsoft Server Software is more likely to be attacked than Linux (Broersma, 2005) due to perceived insecurities within these systems. Previous research has focused on investigating the trends2 against the underlying operating system as a whole (Honeynet Project & Research Alliance, 2005b, 2005a).
- Protecting Users: The Importance Of Defending Public Sites
- By: Kristen Sullivan (posted on January 18, 2011)
- In the application security industry, one of the hardest elements to communicate to customers is the need for building secure web applications even if those applications transmit minimally sensitive data. The purpose of this document is to provide a valid case for why all applications should follow a minimum standard for secure coding practices. Many assume the only applications requiring protection are those which store sensitive or confidential data, but that is a grievous misjudgment. Additionally, with tight budgets and limited security resources, it is hard to justify reasons for securing public facing sites only offering open record information. The main cause of this is a lack of understanding the risk associated.
- A Reverse Proxy Is A Proxy By Any Other Name
- By: Art Stricek (posted on January 18, 2007)
- This paper will cover the concept of a Reverse Proxy by defining what it is and how it differs from a forward proxy. We will cover the benefits and drawbacks of using this technology as a part of our network infrastructure, along with the security advantages and possible risks.
- Secure Session Management: Preventing Security Voids in Web Applications
- By: Luke Murphey (posted on May 5, 2005)
- Internet users all over the world are using web-based systems to manage important data for them such as bank account and healthcare information. Users assume that these systems are securely designed but many web applications have severe security flaws that allow simple attacks to succeed.
- Securing an IIS Web Server Using Novell’s iChain
- By: Jeff Hermans (posted on May 5, 2005)
- Web servers are open to many threats just by the nature of their exposure to the Internet. Although the inherent security built into web server products is improving, adding unique layers to the security design proves to be successful in almost any implementation.
- A Guide to Discovering Web Application Insecurities, Before Attackers Do
- By: Don Williams (posted on March 9, 2005)
- It is all over the news: web based attacks are climbing, month over month, year over year. At the same time companies are attempting to combat such attacks, attackers are devising new methods to infiltrate systems. In the event you were on a reality show for the last few years and missed the latest news, just take a glance at these alarming statistic
- Authentication and Session Management on the Web
- By: Paul Johnston (posted on January 28, 2005)
- This paper discusses how these requirements are met, primarily looking at how users are authenticated and login sessions maintained. We start by looking at the existing security measures for the basic website. Then we look at the various options for authenticating users in general, concluding that passwords are the only viable option.
- Domino Web Server
- By: Karen Zwolski (posted on May 2, 2004)
- Lotus Notes/Domino is a widely used group collaboration and messaging platform originally designed to work in a client-server architecture using proprietary protocols. The client is known as Notes, and the server is known as Domino.
- Web Authentication Security
- By: Donna Selman (posted on November 6, 2003)
- This document discusses several web authentication security techniques: Digest Authentication, Database Authentication, Anonymous Authentication, and N-Tier Authentication, used to provide web browser clients access to the file systems on their host computers.
- Security Elements of IIS 6.0
- By: Anthony DeVoto (posted on November 5, 2003)
- This discussion will focus on the security elements of IIS 6.0 as well as the security improvements made to those elements in this release.
- Securing IIS within an Outook Web Access 2000 environment
- By: Dave Munger (posted on October 31, 2003)
- The purpose of this document is to show you how to harden the security on the Internet Information Service 5.0 (IIS 5.0) on a Windows 2000 server where OWA is running.
- Security Strengths and Weaknesses of Two Popular Web Servers
- By: Brad Bell (posted on October 31, 2003)
- This paper examines the security strengths and weaknesses of two web servers, Apache and Microsoft's Internet Information Server.
- Securing Microsoft's Internet Information Server 5.0
- By: Ben White (posted on October 31, 2003)
- This paper will provide IIS administrators with the steps to secure their web server installations.
- Proactively Guarding Against Unknown Web Server Attacks
- By: William Geiger (posted on October 31, 2003)
- The premise of this paper is to review various ways of protecting web servers from unknown attacks over port 80. The author examines the technology, explains why it is effective, and identifies areas where further diligence is required.
- Understanding IIS Vulnerabilities - Fix Them!
- By: Nor Azuwa Pahri (posted on October 31, 2003)
- This paper examnes the vulnerabilities of Internet Information Server/Service (IIS).
- Securing a Windows 2000 IIS Web Server - Lessons Learned
- By: Harpal Parmar (posted on October 31, 2003)
- This paper offers detail on some of the quirks to watch for while securing an IIS server.
- Using Open Source Software to Proxy, Authenticate, and Monitor User Web Habits
- By: Jason D. Gregg (posted on October 31, 2003)
- This paper will attempt to address what time and again is a problem for network and security administrators: monitoring user access to the Internet in an environment where blocking resources may not be ideal, cost effective, or in accordance with company policy.
- Securing Microsoft Web Applications - A Guide for Systems Administrators
- By: Matt Pogue (posted on October 31, 2003)
- The purpose of this paper is to provide systems administrators with a high-level overview of some of the major security considerations surrounding web applications that utilize Microsoft's Internet Information Server, SQL Server and Component Object Model (COM+), as well as links to in-depth technical information that expands upon the high-level topics discussed here. The author also discusses considerations for writing secure code, implementing secure DNS services, and packet filtering/proxy configurations, and explores the need for more interaction between systems administrators and development staff during the initial planning and design phases of the development cycle.
- Web Application Security, with a Focus on ColdFusion
- By: Joseph Higgins (posted on October 31, 2003)
- This paper examines securing two aspects of web applications (scripting language and application code) by focusing on ColdFusion (CF): default installation, two-step attacks, remote development, and security holes in the code, and input encryption, which are the major issues in most web applications.
- Securing e-Commerce Web Sites
- By: Ariel Pisetsky (posted on October 31, 2003)
- The author explores how to build a secure e-Commerce web site.
- Basic IIS 5.0 Default Web Server Security
- By: Terri Carroll (posted on October 31, 2003)
- Outlined in this paper are steps for securing an internet information server; such actions provided security enough to have protected many systems from the outbreak of the CodeRed worm and may have assisted in preventing spread of the Nimda worm - two of the most wide spread worms to have affected IIS systems.
- Using Microsoft's IISlockdown Tool to Protect Your IIS Web Server
- By: Jeff Wichman (posted on October 31, 2003)
- Informational instructions on the IISlockdown tool including common exploits for IIS servers, best practices for installing the IISlockdown tool and information on tools used to test following the installation.
Check Them Out!
GIAC certs are concerned with real applications and principles, rather than vendor products and implementations.
-Rob VandenBrink
