Best practices for locking down a web server

book

Article ID: 156713

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

You would like to know the best practices for locking down a web server.

Resolution

File Integrity Monitoring

Tracking file changes is a large part of compliance. SCSP has multiple methods for tracking changes to both files and registry values, as well as, being able to proactively enforce who and what should be able to modify these values. The quickest way to enable tracking for a specific list of files is by using a Template Policy.
To create a new policy based upon a Template Policy:
  • Click on the Detection View Tab at the top and click on the Policies tab.
  • Right Click on Workspace and Choose New Folder.
  • Call the New Folder Lab Policies
  • Under Policy Tasks choose New Policy
  • Call the new Policy Lab_File_Integrity_Monitoring
  • Choose Windows Template Policy from the list of Policies in the Window and click on Next
  • Click on Edit Policy
  • Select My Custom Rules
  • Select New
  • Enter File Watch Rule as the Display Name.
    • Select File Watch for the category
    • Enter file_watch_rule as the identifier (this cannot have spaces but underscores are permitted)
    • Select Finish
  • Your new custom rule will now be shown under My Custom Rules
    • Select Settings
    • Expand your rule (represented by the name you provided)
    • Expand File Watch Rule Options and enable the check box
    • Provide a value for this specific rule under Rule Name e.g. web server, if you have multiple rules you can have multiple names.
    • Provide a Rule Severity value (from 0 to 99)
      • The severity you enter will affect how the rule is logged in the console
        • 0-19 = Info
        • 20-39 = Notice
        • 40-59 = Warning
        • 60 – 79 = Major
        • 80-99 = Critical
    • Select Monitor File Creation, File Deletion, and File Modification.
    • Under File Modification select Use File Checksums to check if files are modified and set the Report File Differences Type to Text.
    • Enable Files to Watch and expand this option
    • Enter C:\Inetpub\wwwroot\html\*.html in List of Files to Watch
    • Select OK
  • Enter comments if desired and select Finish 
Apply the Policy
  • Right Click on the new Policy you have Created and Select Apply Policy
  • Double Click on Policy and Choose Windows. This will ensure that only windows servers receive this policy.
  • Click on Next.
  • The Policy will now be applied.
Test the Policy
  • Open C:\Inetpub\wwwroot\html
  • Modify postinfo.html in this directory and add change some text in it.
  • Go back to the SCSP manager and look at the events created. This can be done in 2 ways.
    • Choose the Monitors Tab
    • Click on Assets, find the server under Windows and select Recent Events
Privilege De-escalation
 
Restricting the movement and capabilities of an administrative or root user can be a hassle in most environments. With SCSP, you can take a policy based approach to what each user or group of users can do.
To prevent a privileged user from executing an application:
  • Click on the Prevention View Tab at the top and click on the Policies tab.
  • Open the Prevention enabled folder
  • Edit the Lab Policy enabled policy which has previously been configured and based on the sym_win_protection_core policy.
  • Expand Interactive Program Options
    • Expand General Interactive Program Options
    • Expand Alternate Privilage Lists
    • Select Specifiy Interactive Programs that should not start
    • Specify that you do not want FTP Publishing Service to start (You will need to find the location of the path to the executable.
    • Select Apply
  • In order for the policy to take on the box you need to eapply the Policy to the system 
Test the Policy
  • Open Windows Service Manager
  • Try to start the FTP service
  • Go back to the SCSP manager and look at the events created.

Web Server Configuration and Web Defacement Prevention 

SCSP can assist with protecting critical data by allowing only certain users, groups of users or applications to access any data sets whether they are databases, mail stores, HTML or MS Office documents.
To restrict access to a specific set of data:
  • Click on the Prevention View Tab at the top and click on the Policies tab.
  • Open the Prevention enabled folder
  • Edit the Lab Policy enabled policy which has previously been configured and based on the sym_win_protection_core policy.
  • Expand Global Policy Options
    • Expand Resource Lists
    • Expand Read-only Resource Lists
    • Enable and expand Block modiciations to these files
    • Click Add and enter the following path in the resource field C:\Inetpub\wwwroot\html\*
    • Select OK
  • Enter comments if desired and select Submit
  • Apply the policy 
Test the Policy
  • Open C:\Inetpub\wwwroot\html and attempt to open the modify index.html.
Protecting Apps for Users
 
Sometimes there is a need to restrict the users who can make changes to files in an area. For example, the system administrator may need to manage the whole box but there are certain files that you only want to allow certain users access to. For example, web server configuration files.
To restrict access to a specific set of data:
 
  • In the SCSP Manager open Lab Policy Enabled
  • Expand Global Policy Options
    • Expand Resource Lists
    • Expand Read-Only Resource Lists
    • Enable and expand Block modifications to these files
    • Enter the following path in the resource field C:\Inetpub\wwwroot\html\*
  • In policy tree in left pane, click on My Custom Programs
    • Click on New
    • Enter a Display Name (Administrator Launched Notepad can access restricted)
    • Choose This Program is Interactive
    • Enter an Identifier with no spaces (e.g. notepad_restricted)
    • Choose Settings and Expand the Rule
    • Select Specify Interactive Programs with Custom Privileges and expand
    • Add a new Value. In the program path enter C:\WINDOWS\system32\notepad.exe in the user name enter admin
    • Expand Resource Lists
    • Expand Writable Resource Lists
    • Enable and expand Allow modification to these files
    • Enter the same path from the earlier example C:\Inetpub\wwwroot\html
    • Select OK
  • Enter comments if desired and select Submit
  • Reapply the Policy  
Test the Policy
  • Open explorer and attempt to create a file in c C:\Inetpub\wwwroot\html
  • Open notepad create a file and save it to this directory.
Web Attack Detection
 
Critical System Protection can be used to monitor log files for IIS and Apache. The detection policy will monitor for certain HTTP error codes and strings to indicate an attack CSP can detect SQL Injection, Directory Transversal, Malicious User Agent Request and a few others.
  • Click on the Detection View Tab at the top and click on the Policies tab.
  • Locate the Windows IIS 6 Web Server Policy (This policy is based on the Windows_Baseline_Detection policy)
  • Apply the policy to the Windows server
  • Right Click on the new Policy you have Created and Select Apply Policy
  • Double Click on Policy and Choose Windows. This will ensure that only windows servers receive this policy.
  • Click on Next.
  • The Policy will now be applied.

Attachments

Hands-On Lab--Best practices for locking down a web server.docx get_app