Re: Web Services Security
- From: nikhil@xxxxxxxxxxxxxxxxx
- Date: 21 Feb 2007 03:16:40 -0000
Hello Hesh,
Securing Web Services depends on the product your organization has implemented. Like for example the security measures for IIS is different than the one used for Apache.
However general security measures for Web services besides implementing Web service firewall are:
1. Hide the version number and other sensitive information which the Web server might give out unnecessarily.
2. Make sure the Web service is not running with administrative privileges but with its own low privilege user account and group.
3. Make sure that files outside the web server's root folder are not accessible.
4. Directory listing should be denied.
5. Server side Includes (SSI) and CGI includes should be restricted or disabled totally if not required.
6. Disable unnecessary modules and extension (like WebDAV or mod_info, mod_cgi etc) if not required at all.
7. Ensure proper permission and ACLs set on the Web service related folders(typically administrator/root user should have Read/Write access and all others should have read-only access).
8. Enable logging facility and make sure logs are reviwed and worked upon on regular basis.
9. Ensure that the Web Server is upto-date with the lates patches released by the vendor on timely basis.
10. Use tools/modules like Microsoft URLScan or IIS Lockdown or mod_security module to ensure proper working and maintenance of Web Server.
11. Protect your Web Server with SSL, if it contains use of credentials or sensitive information like Credit Cards, shopping carts etc.
-----
Nikhil Wagholikar
Security Analyst
NII Consulting
www.niiconsulting.com
- Prev by Date: Re: Laptop security
- Next by Date: RE: Testing Application vulnerability tools
- Previous by thread: Re: Web Services Security
- Next by thread: Mobile phone forensics?
- Index(es):
Relevant Pages
|
