Interested in learning more about security?

SANS Institute InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Security Strengths and Weaknesses of Two Popular Web Servers
As the mediator between your business and the world the Web Server that you choose must be completely sound in regards to security. You do have many options when choosing which Web Server package you will use to transmit your company's on-line presence to the rest of the world. There are two Web Server packages in particular that dominate the market for Web Servers. These two Web Server packages are Microsoft's Internet Information Server, and Apache.

Copyright SANS Institute Author Retains Full Rights

AD

Brad Bell August 19, 2001 Security Strengths and Weaknesses of Two Popular Web Servers As the mediator between your business and the world the Web Server that you choose must be completely sound in regards to security. You do have many options when choosing which Web Server package you will use to transmit your company's on-line presence to the rest of the world. There are two Web Server packages in particular that dominate the market for Web Servers. These two Web Server packages are Microsoft's Internet Information Server, and Apache. What is a Web Server? Key definition andAF19 FA27 a web998D FDB5 DE3D F8B5 06E4 A169 4E46 static content to The fingerprint = purpose of 2F94 server is a software package that serves either a Web browser at a basic level, or dynamic content that require end-user interaction. For example, a web server may receive a request for a Web page such as www.amazon.com/index.html. The Web Server would then map the Uniform Resource Locator (URL) to a local file on the host server. In this case the file, index.html is somewhere on the host file system. The server then loads this file from disk and serves it out across the network to the user's Web browser. The browser and the server are talking to each other using Hypertext Transfer Protocol (HTTP) which controls this entire exchange. How does a Web Server transmit dynamic content? Web Servers don't just send static documents and files across the network they also transmit dynamic content. This could be done through web pages created in response to a user input, which is done directly or indirectly by the user. An example of the user directly influencing the output of a web page could be through the use of on-page forms backed by some sort of executable program or code. Also, an example of a user indirectly influencing the results of a web page may be through the use of "cookies." Cookies are short pieces of data used by Web Servers to help identify web users. Common Gateway Interface (CGI), and JavaScript for Dynamic Content With CGI an end-user can visit your site and perform specified tasks with the CGI programs you have. The Common Gateway Interface (CGI) is a frequently used technique of interfacing external applications with Web Servers. A standard HTML document that a Web Server retrieves is static and will never change. However, with a CGI program the Web Server will send the results for the web page upon receipt of the criteria for the page. This allows for the output of dynamic information. For example, let's say that you wanted to connect your Stamp Collection database to the Internet, to allow people from all over the world to look through it based upon whatever criteria they set. Basically, you need to create a CGI program that the Web Server will execute to transmit information to the database software, and receive the results back again and provide them to the end-user. A CGI program can be written in several languages such as Visual Basic, PERL, or C++ that allows it to be executed on the system. CGI programs are one way of making Internet content Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D example, simply adding a few lines of dynamic, but there are other methods of doing this. For F8B5 06E4 A169 4E46 JavaScript code to an HTML file will make the web page very dynamic. The JavaScript could all be within the HTML thus making the program execute on the host side rather than the server. An example of some JavaScript would be a program that pulls the local date of the user machine and

© SANS Institute 2001,

©

SA

NS

In

As part of the Information Security Reading Room.

sti

tu

te

20

01

,A

ut

ho

rr

eta

ins

fu ll r igh ts

Author retains full rights.

displays it on the user's screen. Here is the code for such a program: function displaydatetime() { if (!document.layers && !document.all) return; var today; var timeLocal; var timeUTC; today = new Date(); timeLocal = today.toLocaleString() + " " + "Local"; //Convert to current locale. timeUTC = today.toUTCString(); //Convert to UTC. if (document.layers) { Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 document.layers.clockLocal.document.write(timeLocal); document.layers.clockLocal.document.close(); document.layers.clockUTC.document.write(timeUTC); document.layers.clockUTC.document.close();} else if (document.all) { clockLocal.innerHTML = timeLocal; clockUTC.innerHTML = timeUTC;} setTimeout("displaydatetime()", 500) } window.onload = displaydatetime; // End --> The above JavaScript would display the following results on your web browser: 08/02/2001 09:31:08 Local Thu, 02 Aug 2001 14:31:08 UTC

Security Issues Related to Serving Information via Web Servers (Static and Dynamic content) Serving data and information to people all over the world is a grand task. However when coupled with the related security issues and needs this task becomes monumental. Serving information over the internet securely was brought about with the introduction of Hypertext Transmission Protocol, Secure (HTTPS). This protocol allows for secure communication to go on between the browser and Web server. Basically this means that it is safe for a user and a server to transmit sensitive data to each other over what might be considered an insecure network. What either of the counterparts in this transmission does with the data is another story however. More about HTTPS The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 using a Secure encrypted information between computers over the Internet. HTTPS is just HTTP Socket Layer (SSL). A secure socket layer is an encryption protocol invoked on a Web Server that uses HTTPS. The main reasons for using HTTPS are online purchasing and the exchange of private information over the internet. An example of online purchasing would be something like

© SANS Institute 2001,

©

SA

NS

In

As part of the Information Security Reading Room.

sti

tu

te

20

01

,A

ut

ho

rr

eta

ins

fu ll r igh ts

Author retains full rights.

purchasing a best-selling novel on amazon.com. Also, an example of exchanging private information might be the transmission of the credit card number used to purchase the novel off amazon.com. IIS vs. Apache Given the current environment of the Internet and how Web Servers interact with end-users we can begin to compare how two popular Web Servers, Microsoft Internet Information Server and Apache, perform. Specifically we can compare these two Web Servers in regards to the security they provide, and the problems and incidents that have occurred with these Web Servers since they have been in production. IIS Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 a first time Web Microsoft's flagship Internet product, Internet Information Server, is useful as both Server for those comfortable and familiar with Microsoft products and as a high-end Web Server for hosting a large e-commerce web site. Since the vast majority of computer users are accustomed to using Microsoft based products and the similar interfaces that exist on these applications it is not a surprise that many people choose to use Microsoft's IIS for their Web Server. This alone is not an adequate reason to choose IIS as your web server, but it definitely accounts for some of Microsoft's market share of Web Server sales. The Wrong Reason to choose IIS When asked why a company is using IIS as it's web server application many times the appropriate IT employee will answer one of the following responses: "It came with the Operating System" "We're a "Microsoft Shop. So we use MS products" "We're not familiar with other options" "Our consultants told us to use IIS" These are all reasons or excuses you would expect to hear in any standard organization for choosing IIS. However, none of the reason listed above are strong enough to justify choosing the software that will run your Web Server. For a decision of this magnitude more research is necessary. Weaknesses of IIS One of the major weaknesses of using IIS as your web server is that being a Microsoft product IIS automatically becomes a target for the software hacking community. There are many hackers around the world who would love to terrorize any piece of software produced by Microsoft. The notoriety of the company basically puts a target on any of its products for hackers. The level of testing of the software is also questionable when you consider the number of patches and updates that have been released by Microsoft for IIS. This brings into doubt the quality of the product that was developed in the first place. With all of the money available to Microsoft for Research and Key fingerprint = AF19surprising that so many patches have been released for IIS. This makes one Development it is very FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 wonder if IIS was a rushed product quickly put out by Microsoft with the sole intention of fixing any problem they encountered later on down the road. In fact, if you take this view point it is easy to see IIS as more of a money making scheme rather than a polished piece of software developed

© SANS Institute 2001,

©

SA

NS

In

As part of the Information Security Reading Room.

sti

tu

te

20

01

,A

ut

ho

rr

eta

ins

fu ll r igh ts

Author retains full rights.

with pride. IIS Code Red Virus One example of an incident involving Microsoft's IIS web server was the Code Red virus that infiltrated systems all over the world in July and August of 2001. This virus worked by taking advantage of a ubiquitous software bug within IIS. The reason the Code Red virus worked was a buffer-overflow vulnerability in Microsoft's IIS web servers. This allowed system-level execution of code and thus presented a major security weakness. The virus ignored all physical and political boundaries and quickly spread all over the world. Luckily there was no real harm done from the virus. Its main purpose was to perform a denial of service attack on www.whitehouse.gov. The virus attacked based upon the IP address of the White House serve so the Denial of Service attack was easily fixed. This is just one example of how a web server can be vulnerable without the Key fingerprint = AF19 FA27 2F94 998D FDB5the hacker's decidedA169 4E46 have created proper configurations or updates installed. Had DE3D F8B5 06E4 to they could much more havoc with this virus. Reasons why companies are using IIS When making a decision of this nature the person responsible should choose IIS as their Web Server package for the appropriate reasons. Many organizations and businesses do in fact choose IIS as their Web Server, and are very satisfied with the results that they have seen. A reason for this is the fact that many people are familiar with the Microsoft style graphical user interface, and can easily apply this to using and learning IIS. In fact, this interface can even remove the need for companies to hire expert help thus saving them money. Another reason why IIS would be a good choice is the fact that Microsoft offers downloadable tools to ensure that all of the latest software updates and patches are installed on your Web Server. Microsoft has also made available an IIS Security Configuration tool that will ease the process of securing any Web Server running off IIS. Additionally, with all of the security patches that Microsoft has released recently should cause more relief than concern. This is because with each additional security patch IIS becomes that much more "secure" as a product. In theory as these patches and updates are released the number of vulnerabilities should decrease. Apache Apache is a powerful, flexible web server that implements the latest protocols, including HTTP/1.1. Apache is highly configurable and extensible with third-party modules, and the custom modules that can be created using the Apache module API. Apache also functions on every major computer platform in existence including Windows NT/9x, Netware 5.x, OS/2, and most versions of Unix, as well as several other operating systems. How did Apache come about? Apache was first developed as a result of the National Center for Supercomputing Applications httpd project. Today Apache is one of the most functional and efficient web servers in existence. The name Apache is not a tribute to the native people of North America, but rather a direct representation of how the software was developed. The software was first known as "A PatCHy Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D a series of patch files. There are some server" because it was based on some existing code and F8B5 06E4 A169 4E46 developers out there however who prefer to believe that the software was named Apache because of the superior skills in warfare strategy and inexhaustible endurance of the Apache Indian tribe of North America.

© SANS Institute 2001,

©

SA

NS

In

As part of the Information Security Reading Room.

sti

tu

te

20

01

,A

ut

ho

rr

eta

ins

fu ll r igh ts

Author retains full rights.

Conclusion When it comes to deciding on which web server is right for your organization there is no clear-cut answer. Your basis for making this decision could be based upon many different sets of criteria. For instance you may choose Apache because it's free, or you may choose Microsoft's IIS because you have a large amount of faith in Microsoft products and their technical support. These are both good reason to choose a web server. No matter which web server you choose you must do several things in order to ensure that you have the security your organization needs. Any web server software package must be setup properly for the needs of your business. You must also continuously make certain that you have all of the most current updates and patches installed to defend against any security weakness that has been discovered within your web server of choice. Also, as incidents occur around the world you must have a designated employee or set of employees who stays in tune with all of this to make sure that your business will be safe and unaffected by any newly found security weakness. Both Microsoft's IIS and Apache can be secure if the proper configuration is done. Many of the weaknesses in IIS and Apache are from features in the software that are useful for one reason or another but they may present a security weakness if Keyconfigured properly.FA27 2F94 998D FDB5 DE3Dboth of06E4 A169servers, but you must not fingerprint = AF19 You would be well served by F8B5 these web 4E46 educate yourself and take the necessary precautions with either web server to ensure that your organization is safe and secure.

© SANS Institute 2001,

©

SA

NS

In

As part of the Information Security Reading Room.

sti

tu

te

20

01

Weaknesses of Apache Even with all of the strengths of Apache it is not the web server for all users. Setup of the server is performed through a command-line interface. Typical Microsoft users will have trouble navigating this interface. Apache does not have the user-friendly tools you would expect to see in a Microsoft product like Wizards, or other visuals. For some developers this is advantageous, but for others it can translate into expensive deployment and maintenance costs. Also, the technical support given through newsgroups may not be adequate for many users. You could imagine the scenario of an inexperienced user who is accustomed to graphical user interfaces trying to setup Apache as their web server with a command-line interface and hardly any technical help. It would be nearly impossible for this user to get the server up and running, and even if they did it definitely would not be configured correctly. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Strengths of Apache One of the primary reasons people begin using Apache in the first place is the fact that it is a free and open-source product. All of the source code for Apache is freely distributed to any person or organization that wants it along with an unrestrictive license. The Apache Group also strongly encourages user feedback through new ideas, bug reports and patches. Apache's overall security performance is unquestionable. This is obvious when you consider the fact that many of the most accessed web sites in the world run Apache or Apache variants. The public distribution of the source code results in quick distribution of patches and updates for the software. This public scrutiny also ensures that any security hole is truly fixed according to the differing viewpoints of anyone investigating the software's security issue. As a result of this Apache's large base of users have ensured that its developers have created a package that is extremely stable and secure. Apache users also have the benefit of accessing technical support via Usenet newsgroups from anywhere in the world.

,A

ut

ho

rr

eta

ins

fu ll r igh ts

Author retains full rights.

Bibliography Honeycutt, Jerry. "Microsoft IIS: safe or sorry?." 29 Jan. 2001. URL: http://enterprise.cnet.com/enterprise/0-9566-7-4561136.html (19 Aug. 2001). Madigan, Andrew. "LINUX / Apache versus Windows NT / IIS." URL: http://homepage.tinet.ie/~designmad/Linux-v-NT.htm (19 Aug. 2001).

Key fingerprint = AF19 FA27 2F94 of Code-Red" 24 July 2001. A169 4E46 Moore, David. "CAIDA Analysis 998D FDB5 DE3D F8B5 06E4 URL: http://www.caida.org/analysis/security/code-red/ (19 Aug. 2001). Park, Barry. "IIS leaves cracker's door wide open." 02 May 2001. URL: http://it.mycareer.com.au/breaking/20010502/A39778-2001May2.html (19 Aug. 2001). Sol, Selena. "Secured Transmission (SSL, HTTPS)." 20 Sep. 2001. URL: http://www.wdvl.com/Authoring/Tools/Tutorial/secure.html (19 Aug. 2001).

"CGI City - One of the biggest WWW Resources for CGI and Perl materials." URL: http://www.icthus.net/CGI-City/ (19 Aug. 2001). "JavaScript.com (TM) - The Definitive JavaScript Resource: JavaScript Tutorials and Free Java Scripts." URL: http://www.javascript.com/ (19 Aug. 2001).

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2001,

©

SA

NS

In

As part of the Information Security Reading Room.

sti

tu

Wittmann, Art. "Who's the Best?." 18 Oct. 1999. URL: http://www.networkcomputing.com/1021/1021colwittmann.html (19 Aug. 2001).

te

20

Viejo, Aliso. "Exploit Puts Pressure On For IIS Web Server Patch." 04 May 2001. URL: http://www.newsbytes.com/news/01/165322.html (19 Aug. 2001).

01

,A

Steinberger, Ric. "IIS: Time to Just Say No." 21 May 2001. URL: http://securityportal.com/articles/iis20010521.html (19 Aug. 2001).

ut

ho

rr

eta

ins

fu ll r igh ts

Meloni, Julie. " Apache 1.3.14 - CNET Linux Center - CNET.com." 18 Jan. 2001. URL: http://linux.cnet.com/linux/0-2136889-7-4513044.html?tag=st.it.9566-74561136.pptxt.2136889-7-4513044 (19 Aug. 2001).

Author retains full rights.

Last Updated: August 21st, 2013

Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
SANS Melbourne 2013 SANS Capital City 2013 SANS Network Security 2013 SEC 440 @MCMC Sept 2013 SANS Forensics Prague 2013 SANS Seattle 2013 SANS Bangalore 2013 SANS Baltimore 2013 SEC760 Advanced Exploit Development for Penetration Testers GridSecCon 2013 Healthcare Cyber Security Summit Securing the Internet of Things Summit SANS Tokyo Autumn 2013 October Singapore 2013 SANS Dubai 2013 FOR572 Advanced Network Forensics and Analysis SANS Chicago 2013 MGT415 at (ISC)2 SecureSoCal 2013 SANS South Florida 2013 MGT415 at (ISC)2 SecureDallas 2013 SANS Pen Test Hackfest Training Event and Summit SANS Sydney 2013 SANS Korea 2013 Cloud Security @ CLOUD Expo Asia SANS London 2013 SANS San Diego 2013 FOR585 Adv Mobile Device Forensics SANS Thailand 2013 SANS OnDemand Melbourne, AU Washington, DCUS Las Vegas, NVUS CyberJaya, MY Prague, CZ Seattle, WAUS Bangalore, IN Baltimore, MDUS Baltimore, MDUS Jacksonville, FLUS San Francisco, CAUS San Francisco, CAUS Tokyo, JP Singapore, SG Dubai, AE Washington, DCUS Chicago, ILUS Manhattan Beach, CAUS Fort Lauderdale, FLUS Dallas, TXUS Washington, DCUS Sydney, AU Seoul, KR Singapore, SG London, GB San Diego, CAUS Vienna, VAUS OnlineTH Books & MP3s OnlyUS Sep 02, 2013 - Sep 07, 2013 Sep 03, 2013 - Sep 08, 2013 Sep 14, 2013 - Sep 23, 2013 Sep 17, 2013 - Sep 19, 2013 Oct 06, 2013 - Oct 13, 2013 Oct 07, 2013 - Oct 14, 2013 Oct 14, 2013 - Oct 26, 2013 Oct 14, 2013 - Oct 19, 2013 Oct 14, 2013 - Oct 19, 2013 Oct 15, 2013 - Oct 17, 2013 Oct 17, 2013 - Oct 24, 2013 Oct 17, 2013 - Oct 22, 2013 Oct 21, 2013 - Oct 26, 2013 Oct 21, 2013 - Nov 02, 2013 Oct 26, 2013 - Nov 07, 2013 Oct 28, 2013 - Nov 02, 2013 Oct 28, 2013 - Nov 02, 2013 Oct 31, 2013 - Oct 31, 2013 Nov 04, 2013 - Nov 09, 2013 Nov 06, 2013 - Nov 06, 2013 Nov 07, 2013 - Nov 14, 2013 Nov 11, 2013 - Nov 23, 2013 Nov 11, 2013 - Nov 23, 2013 Nov 13, 2013 - Nov 15, 2013 Nov 16, 2013 - Nov 25, 2013 Nov 18, 2013 - Nov 23, 2013 Nov 18, 2013 - Nov 23, 2013 Aug 26, 2013 - Aug 31, 2013 Anytime Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Self Paced