|
. Isolate the web server physically and virtually. If possible allow local access to the
web server to the fewest number of people with a minimal number of users. Keep the web server close to the administrator, the web engineer, or the webmaster. Keep the web server on a LAN segment separate from the rest of the IT infrastructure. Do not mount or share services to and from the server. Example: Apache As of 26 September 2001, Apache 1.3.20 is the latest version and is available at http://httpd.apache.org . Ensure the user running the Apache web server is set to nobody. In the httpd.conf file in the /usr/local/apache/conf directory, make sure that the effective user is nobody and that the group option is also set to nobody. Below are the lines to add to the file. User nobody Group nobody . Ensure that user nobody does not own or have write access to the htdocs or cgi-bin subdirectories or any other subdirectory under these. Below are the commands to set ownership of these directories to root and to restrict write access to only root. chown -R root /usr/local/apache/htdocs