OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Web Servers

Featuring 24 Papers as of December 1, 2011

  • Securing Blackboard Learn on Linux by David Lyon - December 1, 2011 

    Blackboard Learn (Bb Learn) is an application suite providing educational technology to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and content. Common add-ons include the Community and Content systems which are licensed separately.

  • Using Web Application Firewall to detect and block common web application attacks by Issac Kim - November 29, 2011 

    Over the last few years, vulnerabilities in web applications have been the biggest threat in information technology (IT) environment (Modsecurity, 2011). According to the open source vulnerability database (OSVDB), web application threats become almost fifty percent of all vulnerabilities in 2010 (HP DVlabs, 2010).

  • A comparative study of attacks against Corporate IIS and Apache Web Servers SANS.edu Graduate Student Research
    by Craig Wright - August 29, 2011 

    It has been suggested that Microsoft Server Software is more likely to be attacked than Linux (Broersma, 2005) due to perceived insecurities within these systems. Previous research has focused on investigating the trends2 against the underlying operating system as a whole (Honeynet Project & Research Alliance, 2005b, 2005a).

  • Protecting Users: The Importance Of Defending Public Sites by Kristen Sullivan - January 18, 2011 

    In the application security industry, one of the hardest elements to communicate to customers is the need for building secure web applications even if those applications transmit minimally sensitive data. The purpose of this document is to provide a valid case for why all applications should follow a minimum standard for secure coding practices. Many assume the only applications requiring protection are those which store sensitive or confidential data, but that is a grievous misjudgment. Additionally, with tight budgets and limited security resources, it is hard to justify reasons for securing public facing sites only offering open record information. The main cause of this is a lack of understanding the risk associated.

  • Secure Session Management: Preventing Security Voids in Web Applications by Luke Murphey - May 5, 2005 

    Internet users all over the world are using web-based systems to manage important data for them such as bank account and healthcare information. Users assume that these systems are securely designed but many web applications have severe security flaws that allow simple attacks to succeed.

  • Securing an IIS Web Server Using Novellís iChain by Jeff Hermans - May 5, 2005 

    Web servers are open to many threats just by the nature of their exposure to the Internet. Although the inherent security built into web server products is improving, adding unique layers to the security design proves to be successful in almost any implementation.

  • A Guide to Discovering Web Application Insecurities, Before Attackers Do by Don Williams - March 9, 2005 

    It is all over the news: web based attacks are climbing, month over month, year over year. At the same time companies are attempting to combat such attacks, attackers are devising new methods to infiltrate systems. In the event you were on a reality show for the last few years and missed the latest news, just take a glance at these alarming statistic

  • Authentication and Session Management on the Web by Paul Johnston - January 28, 2005 

    This paper discusses how these requirements are met, primarily looking at how users are authenticated and login sessions maintained. We start by looking at the existing security measures for the basic website. Then we look at the various options for authenticating users in general, concluding that passwords are the only viable option.

  • Domino Web Server by Karen Zwolski - May 2, 2004 

    Lotus Notes/Domino is a widely used group collaboration and messaging platform originally designed to work in a client-server architecture using proprietary protocols. The client is known as Notes, and the server is known as Domino.

  • Web Authentication Security by Donna Selman - November 6, 2003 

    This document discusses several web authentication security techniques: Digest Authentication, Database Authentication, Anonymous Authentication, and N-Tier Authentication, used to provide web browser clients access to the file systems on their host computers.

  • Security Elements of IIS 6.0 by Anthony DeVoto - November 5, 2003 

    This discussion will focus on the security elements of IIS 6.0 as well as the security improvements made to those elements in this release.

  • Using Microsoft's IISlockdown Tool to Protect Your IIS Web Server by Jeff Wichman - October 31, 2003 

    Informational instructions on the IISlockdown tool including common exploits for IIS servers, best practices for installing the IISlockdown tool and information on tools used to test following the installation.

  • Securing IIS within an Outook Web Access 2000 environment by Dave Munger - May 9, 2003 

    The purpose of this document is to show you how to harden the security on the Internet Information Service 5.0 (IIS 5.0) on a Windows 2000 server where OWA is running.

  • Securing e-Commerce Web Sites by Ariel Pisetsky - January 18, 2002 

    The author explores how to build a secure e-Commerce web site.

  • A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek - January 10, 2002 

    This paper will cover the concept of a Reverse Proxy by defining what it is and how it differs from a forward proxy. We will cover the benefits and drawbacks of using this technology as a part of our network infrastructure, along with the security advantages and possible risks.

  • Web Application Security, with a Focus on ColdFusion by Joseph Higgins - January 2, 2002 

    This paper examines securing two aspects of web applications (scripting language and application code) by focusing on ColdFusion (CF): default installation, two-step attacks, remote development, and security holes in the code, and input encryption, which are the major issues in most web applications.

  • Securing Microsoft Web Applications - A Guide for Systems Administrators by Matt Pogue - December 10, 2001 

    The purpose of this paper is to provide systems administrators with a high-level overview of some of the major security considerations surrounding web applications that utilize Microsoft's Internet Information Server, SQL Server and Component Object Model (COM+), as well as links to in-depth technical information that expands upon the high-level topics discussed here. The author also discusses considerations for writing secure code, implementing secure DNS services, and packet filtering/proxy configurations, and explores the need for more interaction between systems administrators and development staff during the initial planning and design phases of the development cycle.

  • Using Open Source Software to Proxy, Authenticate, and Monitor User Web Habits by Jason Gregg - December 2, 2001 

    This paper will attempt to address what time and again is a problem for network and security administrators: monitoring user access to the Internet in an environment where blocking resources may not be ideal, cost effective, or in accordance with company policy.

  • Securing a Windows 2000 IIS Web Server - Lessons Learned by Harpal Parmar - October 8, 2001 

    This paper offers detail on some of the quirks to watch for while securing an IIS server.

  • Understanding IIS Vulnerabilities - Fix Them! by Nor Pahri - September 19, 2001 

    This paper examnes the vulnerabilities of Internet Information Server/Service (IIS).

  • Proactively Guarding Against Unknown Web Server Attacks by William Geiger - September 12, 2001 

    The premise of this paper is to review various ways of protecting web servers from unknown attacks over port 80. The author examines the technology, explains why it is effective, and identifies areas where further diligence is required.

  • Securing Microsoft's Internet Information Server 5.0 by Ben White - August 31, 2001 

    This paper will provide IIS administrators with the steps to secure their web server installations.

  • Security Strengths and Weaknesses of Two Popular Web Servers by Brad Bell - August 19, 2001 

    This paper examines the security strengths and weaknesses of two web servers, Apache and Microsoft's Internet Information Server.

  • Basic IIS 5.0 Default Web Server Security by Terri Carroll - April 11, 2001 

    Outlined in this paper are steps for securing an internet information server; such actions provided security enough to have protected many systems from the outbreak of the CodeRed worm and may have assisted in preventing spread of the Nimda worm - two of the most wide spread worms to have affected IIS systems.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.