Setting Up Secure Web Services

Perhaps the three most universal guidelines for keeping a server secure are:

• Don't turn on more services than you need to provide.

• Keep up-to-date on vulnerabilities and patches.

• Read your log files.

The reasoning of the first guideline is simple: The more exposure to the outside world, the more potential vulnerability and the possibility that an exploit of one service could compromise another service. Also, the more services running, the more there is to maintain and monitor. Apple respects this guideline by providing a secure default configuration: All native services are off, and all communications ports are closed.

Keeping up-to-date is obvious enough, but it becomes increasingly difficult to balance with the other demands on our time. Apple helps ease this load by working with security watchdog organizations such as CERT and FIRST, as well as tapping into the rapid development pace and diligence of the open software community. Apple passes the benefit of this effort along by way of the Software Update utility; set it to update daily, and you can reap disproportionate rewards of Apple's frequent security (and other) updates with almost no effort.

"Did you look at the log files?" This constant inquiry from the UNIX sages is a good indicator of the usefulness of this technique. Regularly checking logs helps you with not only the obvious problems, but also with things that aren't obvious but may well be problems. The Apple Console utility consolidates all of the system's logs into a searchable, dynamic log viewer.