Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
/

Defensive tactics can help users keep Web server hackers at bay

Today's breaking news
Send to a friendFeedback

Advertisement:
Today's breaking news
Send to a friendFeedback

Advertisement:

By Ellen Messmer
Network World, 1/12/98

Web servers have become a favorite target for network hackers, but there are steps you can take to minimize your vulnerability to break-ins.

Companies might best protect their networks by isolating public Web servers as much as possible, accepting the fact that each of these servers could be "a sacrificial lamb" to predators on the Web, said Lincoln Stein, director of information systems at biotechnology firm CuraGen Corp.

"No matter who you are, there is probably someone who doesn't like you," said Stein, who has written a new book called Web Security, published by Addison Wesley Longman, Inc.

Well-known victims of Webjackings include Yahoo, Inc., the U.S. Air Force and the Department of Justice.

The book provides a useful list of steps companies can follow to reduce their organization's security risks.

For example, Stein recommends cleaning up buggy Common Gateway Interface scripts or JavaScript code, which can let hackers remotely execute commands or overwrite files on a Web server.

To keep hackers from using a Web server as a springboard to critical internal resources such as databases, companies should keep e-mail and FTP services off the machine running the Web server software.

If a company has the ability to isolate its Web servers, it can place a firewall behind them. At the same time it can run only the most recent versions of Web server software from the likes of Microsoft Corp. and Netscape Communications Corp.

In his book, Stein documents security holes in all of the major commercial and freeware Web servers, noting "some of the holes were discovered within weeks of the time this chapter was written, and the pace of discovery doesn't seem to be slackening."

In any case, one key defensive measure is to turn off every feature not required on a Web server, such as automatic directory listings that make Web servers browsable.

"Don't ever run a server with 'superuser' privileges or root, even if the vendor says it's OK to do that," Stein said.

While the emergence of corporate Web servers has placed yet another burden on systems administrators and security professionals, there is a silver lining. According to a recent survey by SANS Institute, managers with security responsibilities enjoyed a 14.1% pay hike last year because their expertise is sorely needed.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.