WINDOWS-BASED WEB SERVERS

These types of web servers are probably the most hacked servers in the world today. While Microsoft has been fairly good about providing 'hot fixes', 'patches' updates and 'Service Packs ' to plug discovered holes in web server security, an un-patched web server is not only subject to be attacked and compromised, but can also be used to attack other servers as well.

In the January 2003 issue of 'Advance for Health Information Executives' author Robert N.Mitchell writes , quoting Jonathan Taylor, enterprise security engineer, at Sutter Health, Sacramento California ⁸ : 'A good security practice is to change the default configurations, change the Web folder location, change the scripts folder location and modify system permissions so that they are not set with default configurations.'

A knowledgeable black-hat would know to probe a Windows web server for default user names and could then attempt unauthorized access. Therefore, additionally security measures should include:

• Remove all default users, home directories and configuration, sample files, administration web sites, anonymous logins, null sessions

• Disable all unused Services in Computer Management and install the O/S with minimum services

• Configure 'Live Update', install all service packs, hot fixes, and patches

• Install and automatically update anti-virus software

• Use different hard drives or partitions for the O/S, HTML and FTP folders

• Remove or rename guest account and rename administrator account

• Enforce strong passwords complexity and force the password change often

• Disable NetBIOS, remove OS/2 and Posix references from the Registry

• Apply a high security web template and configure it

As an assessment tool, consider testing the initial server configuration by applying a 'scoring tool' to benchmark the current or 'before' level of security, then apply the security template for an 'after' score. Such a security template should also be checked in conjunction with the 'SANS/FBI Top 10 Windows Vulnerabilities', found at http://ww.sans.org ⁹ A free SANS/FBI Top 20 vulnerabilities scan is available at http://www.qualys.com ¹⁰

Because of its age, Windows NT Server should not be considered as a web server of choice. It is recommended that W2K Server or higher (.NET Server) be used, and that any WinNT systems be upgraded or replaced .

As mentioned before, log various events and regularly check audit logs for signs of hacking or intrusion.

Additional security assessment of a web server can be done by running penetration software such as 'Nmap', 'Nessus', 'Enum', 'Netcat' or others; password cracking software such as 'John the Ripper' or other such programs. Get written permission first, enable audit logs and check for signs of attempted or successful intrusion.

There is nothing about securing a web server that is specific to the healthcare industry. InfoSec 'best practices' are recommended, but no special web server configuration is required by HIPAA. However, because medical center web servers now frequently include remote access to patient records, radiology images and other 'protected health information', it is vital that these sources of information are secure and reviewed often to apply appropriate updates.