S 4.94 Protection of WWW files

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

The files and directories on a WWW server must be protected against unauthorised changes, but also - depending on the security requirements - against unauthorised access.

General aspects

If scripts are attached via cgi-bin, it is essential to ensure that programming is secure in order to prevent the scripts from being used to circumvent the server's protection mechanisms. One possible means of making unauthorised access more difficult is to run the scripts under a user ID which only has access to selected files. It is particularly important to protect the configuration files, because otherwise it is easy to deactivate all access restrictions.

The read rights and write rights for the WWW files should allow only authorised users access, as local files.

Protection against unauthorised changes

On a typical WWW server, only the log files are subject to constant change; all other files are static. This applies in particular to system programs and the WWW pages. Although WWW pages are regularly updated, they should not be edited on the WWW server itself.

In order to ensure that no files can be modified on the WWW server without this being noticed, checksums should be formed for all static files and directories (for example with a program such as tripwire; see also S 4.93 Regular integrity checking) and should be checked at regular intervals.

In order to prevent the possibility of WWW files being modified by unauthorised third parties at all, static data can be stored on a write-protected storage medium (such as a CD-ROM or a hard disk with write protection).

Protection against unauthorised access

Access to files or directories on a WWW server can be protected in various ways:

• Access can be restricted to freely selectable IP addresses, subnetworks or domains.

• User-specific IDs and passwords can be assigned.

• The files can be stored in encrypted form and the associated cryptographic keys only made known to the target audience.

Authentication by means of addresses

Authentication by means of numerical IP addresses does not offer the protection of cryptographic procedures because it can be rendered ineffective by an attack based on IP spoofing. IP spoofing involves an attacker falsifying IP packets in order to pretend that they originate from a trustworthy IT system (see T 5.48 IP spoofing). However, a firewall can be used to prevent external users from pretending to be internal users. If access is not restricted to numerical IP addresses or subnetworks but to certain computer names or domain names instead, attention should also be paid to the risk of DNS spoofing.

If the WWW browser accesses the WWW server via a proxy server, it should be borne in mind that the WWW server only finds out the IP address of the proxy. A proxy can only be considered trustworthy, however, if all IT systems and users hidden behind it are also trustworthy.

If access to WWW files is restricted to specified IP addresses, subnetworks or domains, it may therefore be advantageous to give these additional protection with a password.

Password protection

In order to protect WWW files with passwords, it is first necessary to create a password file in which the authorised users and their passwords will be entered. It is vital that this file should not be stored in areas of the WWW server which could possibly be accessed from the outside. The file must be readable for the Web server, however. It is advisable to create a separate directory for these password files. Only the owner of the file and the WWW server are allowed to access the files stored in that directory.

One problem with the protection of WWW files by means of passwords is that the authorised users have to handle their passwords carefully; for example they must not pass them on, but must keep them safely, change them regularly and select them with care (see S 2.11 Provisions governing the use of passwords). Another problem is whether and how passwords can be protected against interception during transmission. Passwords must under no circumstances be transmitted within a URL.

If possible it is advisable to use authentication via addresses in addition.

Encryption

Another possibility is storing files in encrypted form on a WWW server, such that only users who are in possession of the correct cryptographic key are able to read the files. This approach does require a corresponding system of key management, however, which may be complex and costly.

Procedures such as SSL or S-HTTP can be used to prevent interception of the files and passwords during transmission.