Securing Web Services


Web Servers are one of the most common implementations of Windows 2003 and due to their role of serving users outside the domain they are especially vulnerable and need to be well-secured. New Web- related exploits are found practically daily and if Web servers are to remain secure, they must be up-to-date on available patches for the operating system as well as for the Web services.

Using SSL

One of the biggest concerns with Web servers is making sure that secure conversations are not intercepted via packet sniffing. Because the Internet is a pretty nebulous cloud with questionable security it is up to you to ensure that end-to-end communications with end users are secure. One of the most common ways to do this is with Secure Socket Layer communications. SSL runs above TCP/IP and below HTTP. SSL performs three primary functions:

Bandwidth Usage and SSL

The use of SSL does not affect bandwidth usage. It does, however, place an additional CPU load on both the client and the server. If an existing Web application is going to be switched to SSL communications, the overall capacity of the system will be reduced. This overhead can be mitigated on the server via the use of hardware-based SSL accelerators.


  • SSL server authentication. This allows a client to validate a server's identity. SSL-enabled client software can use public-key cryptography to check to see if a server's certificate and public ID are valid. It can also check to see if the certificate has been issued by a certificate authority (CA) listed in the client's list of trusted CAs. If, for example, a user were sending a credit card number over the Internet to make a purchase, he would want to verify the receiving server's identity.

  • SSL client authentication. This allows a server to validate a user's identity. Using a similar technique as that used for server authentication, SSL-enabled server software can validate that a client's certificate and public ID are valid. It can also check to see that a trusted certificate authority issued them. If, for example, an online retailer wanted to send confidential information to a customer, it would want to verify the recipient's identity.

  • Encrypting SSL connections. SSL requires that all information sent between a server and a client be encrypted by the sending software and decrypted by the receiving software. This provides a high degree of confidentiality and security. SSL includes a mechanism for detecting data that was tampered with. This further protects transactions performed over SSL connections.

Scanning the Web Servers for Vulnerabilities

Web servers are especially vulnerable to attack by hackers and griefers. By their very nature Web servers are often open to anonymous access and are located in lightly secured networks. Web servers are very popular targets and as such, vulnerabilities are regularly found in Web services. In order for you to secure systems against these vulnerabilities, you must be aware of them. The easiest way to do this is to scan the Web servers for vulnerabilities regularly.

Many companies offer services specifically designed to regularly scan Web servers for other companies and provide them with reports on discovered vulnerabilities. This is an excellent option for companies that lack the resources or expertise to perform these scans in-house.

Keeping up with Patches

Keeping up with patches is absolutely critical for the security of Web servers. The vast majority of the critical fixes produced for Windows are based on flaws discovered on Web servers. This isn't so much because Web services are inherently insecure but because there are so many Windows-based Web servers on the Internet; they can't help but provide a tempting target for hackers. Microsoft has entire teams of engineers and software developers that are dedicated to solving these vulnerabilities as soon as they are discovered. Their job is to get these hotfixes out to administrators. The easiest way to manage these patches is with the Software Update Service. The SUS server allows you to point all of your Web servers to a single server for downloading patches. You need only to check the logs on the SUS server to see if new patches are available. You can test these patches in a lab environment and then approve a patch for distribution. At that point, the Web servers that are configured to point to the SUS server will automatically install the patches and optionally reboot themselves .

Patches and Automatic Rebooting

If servers are configured to reboot automatically after patches that request a reboot, you could face a situation where all of the load-balanced Web servers reboot themselves at the same time. This could result in several minutes of downtime for the site depending on how long the servers take to reboot.


Locking Down IIS

Windows 2003 IIS (version 6.0) surpasses its predecessor by integrating many of the features of the old IIS Lockdown Tool. The IIS Lockdown Tool worked by disabling unnecessary features within IIS based on the planned role of the server. This served to reduce the potential points of attack available to hackers. This was layered with URLScan, a utility that intercepted input from client machines and ran it through an internal check to determine if it was trying to send malicious data such as out-of- band characters or scripts. By default, IIS 6 installs with just the features needed to fill its defined role. It is able to specify exactly what ISAPI and CGI code is allowed to run on the server and has default behaviors for handling HTTP verbs and headers that are designed to execute WebDAV. IIS 6 maintains a UrlScan.ini file with a specific section for DenyUrlSequences. This replaces some of the features of URLScan. Similarly IIS 6 has a mechanism for limiting the length of fields and requests . This plugs many of the older IIS vulnerabilities. If these settings are too restrictive for a specific Web application, the parameters can be modified via Registry settings:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\AllowRestrictedChars

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\MaxFieldLength

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\UrlSegmentMaxLength

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\UrlSegmentMaxCount

Although URLScan 2.5 will run on IIS 6, most administrators will find it unnecessary because most of the security features in IIS 6 are better than those in URLScan 2.5. URLScan 2.5 is highly recommended for use with older IIS 5.0 servers.



Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net