Enterprise-Wide Systems Development Security ◾ 107
© 2011 by Taylor & Francis Group, LLC
Best practices for security and Web servers require that the Web server be iso-
lated in a demilitarized zone (DMZ) where it is separated from the rest of the net-
work, including any databases or resources it may use, by a rewall.
Some of the important questions to ask about the physical and network location
of each Web server the project will use are as follows:
◾ Is the Web server isolated in a demilitarized zone (DMZ) and, if so, what else
is located in this DMZ?
◾ Is there a rewall between this DMZ and the rest of the network?
◾ Where is the server physically located, and who requires physical access to it
in order to perform their job functions?
◾ What logging is in place to record access and access attempts to the physical
server, and what process is there to audit these logs?
◾ What logging is in place to monitor the server’s network access and access
attempts, and what process is in place to audit these logs?
◾ Is the Web server also acting as another type of server or resource?
◾ If the Web server uses a database as a back end, are the Web server and data-
base separated to ensure better security?
◾ What logging is in place to record access and access attempts that touch the
rewall, and what process is in place to audit those logs?
Port Restrictions—Because a Web server is intended for a particular use, the
vast array of available ports and port trac should be limited to use or acknowl-
edge only the ports actually needed to perform as a Web server for the project.
Leaving ports open that are not required exposes the Web server to security risks
from port attacks and potential software vulnerabilities in software listening on
various ports.
Ports should follow a similar white-list approach to that of access control. All
ports should be shut down and then only those required for the Web server to
perform its tasks for the project should be opened as exceptions. e two standard
ports to leave open are port 80 (http) and port 443 (https).
Some of the important questions to ask regarding Web server port restrictions
for each Web server used by the project are as follows:
◾ Are all ports other than 80 and 443 shut down?
◾ Does the project use any other ports, and why?
◾ Does other software running on this machine require ports other than 80
and 443 to be open, and why?
◾ What logging is in place to record changes to port activations and deactiva-
tions, and what process is in place to audit these logs?
◾ What logging is in place to record port access attempts, successful or unsuc-
cessful, and what process is in place to audit these logs?