Cabinet Office
It is essential that government websites are secure. Senior officials have a duty of care of the information that citizens and businesses provide to the public sector. The Data Protection Act, Human Rights Act and other legislation require that privacy is respected. Beyond this, Government websites must be secure to build trust and maintain the reputation of electronic government. This will be seriously damaged if websites are defaced, services are unavailable or sensitive information is released to the wrong people.
Web management teams must consult with their Departmental Security Officers or equivalent responsible officer because the security of websites must happen within the context of your security policies.
If your website is managed by an Internet Service Provider (ISP)/hosting service, you should ensure as far as possible that the ISP/host has procedures, eg, ISO17799, in place to comply with your corporate website security. It is recommended that the application and maintenance of those procedures is checked on a regular basis by qualified security consultants such as those accredited under the CHECK service.
The Office of the e-Envoy will answer enquires about security issues. Contact security@cabinet-office.x.gsi.gov.uk.
security@cabinet-office.x.gsi.gov.uk
1.11.1 What is a security policy?
A security policy is an organisation’s commitment to and the setting out of the approach to managing information security, such as, ISO17799. From this cascades all the procedures and practices for day-to-day dealing with information.
A security policy specifically for the website and the services provided through it may be:
An overview to information security being taken by the Web management team possibly after a risk assessment has been undertaken.
Rules, both technical and legal, by which an individual who is given access to a government website must abide.
Procedures and practices for dealing with information from those transacting with your website. See section 1.10.2 Data Protection Act.
Procedures and practices for password generation and use.
See section 1.10.2
1.11.2 What is the purpose of secure website management?
The purpose of secure website management is the establishment and maintenance of procedures for staff and outside contractors to use, which minimises the risk to security in the management of an organisation’s website. For example: to ensure the integrity and availability of your website’s production and infrastructure,
1.11.3 The security of your website
It needs to be stressed that most successful breaches of integrity on websites are made possible by misconfiguration of the web server and failure to install relevant security patches. The information in this section aims to raise awareness on correct configuration and patch application.
The security of a website is determined by the security of the following:
In the sections below each area of security will be considered in turn with recommendations for each. All of the recommendations should be followed if good website security is to be achieved.
This guidance presupposes that the web server is open to an untrusted user community and does not address the possibility of trusted users accessing or maintaining the website remotely. Most web servers provide remote file and directory authentication for such purposes, although the types and use of such authentication are beyond the scope of this guidance.
1.11.4 The security of the web server application
A website is hosted by a web server. A web server is an application that accepts requests from client web browsers in the Hypertext Transfer Protocols (http and https) and responds by sending web pages and other content to the client web browsers.
A web page designer can manually generate these web pages or they can be automatically generated. Automatically generated pages may use interpreted scripting languages, such as Perl to produce the web pages by common gateway interface (CGI), or they may use proprietary server-side programming extensions such as Microsoft’s Active Server Pages (ASP). Web server security therefore splits into two further areas:
For the security of the web server itself, the following steps are recommended:
a) As with any application, ensure that you monitor briefings from your CERT and commercial sites such as bugtraq on a regular and frequent basis and install any security patches relevant to the version of the web server that you are using and that address problems that the server is susceptible to. The website vendor’s website should also be able to provide instructions on installing the patches and their coverage of vulnerabilities.
b) When configuring the web server, ensure that any access controls that can be set within the web server application are set appropriately on all directories under and including the root directory of the web as follows:
c) Do not assign access control override privileges to the user as these can be abused by attackers to turn off access control.
d) Enable logging on the web server so that all server activity is logged. This should be analysed on a regular and frequent basis by the organisation’s IT security officer for events indicative of an attack, for instance attempts to run non-existent scripts. The web server log should also contain all attempted and established connections, error messages, remote authentication attempts, all scripts run and any access control violations for files and directories under access control of the web server. This can be a complex and expensive activity so it may be considered more practical to use an Intrusion Detection System and analysis of these logs.
For the security of CGI scripts and server extensions, the following steps are recommended:
a) Remove all sample scripts installed with the server.
b) Disable any server directives or extensions that enable scripts to run operating system level commands on the web server, for example, in a Unix environment, Server Side Includes.
c) In conjunction with your Departmental Security Officer or equivalent responsible officer ensure that a suitably qualified professional, external to your website development, checks all scripts that are used on the web server to ensure that they validate input to allow only expected types and lengths of input data and produce error messages otherwise. Care should be taken that special characters and empty values are treated adequately. Escapes to an operating command shell should never be permitted.
d) If possible, store all scripts in the same directory and forbid execution of scripts outside this directory.
bugtraq [External link]
1.11.5 The security of the operating system of the web server computer
The security of the web server is only as good as the security of its environment. If the operating system is configured securely, the damage that a malicious user could do will be restricted to what can be obtained with the web user privileges.
For the security of the operating system of the web server computer, the following steps are recommended:
a) When selecting an operating system, a high level of security will be obtained by:
Microsoft Windows NT 4.0 Service Pack 6a meets this standard using the NTFS file system, as do a number of Unix operating systems. For details see the IT Security Evaluation and Certification Scheme website at: http://www.itsec.gov.uk. The use of a certified operating system providing mandatory access control (ITSEC F-B1 or Common Criteria Labelled Access Protection Profile) that separates the user file and process space into levels or compartments will provide even greater security in the web server environment if the web server is run as an unprivileged user in its own compartment.
b) As in the case of the web server, ensure that you monitor briefings from your CERT and commercial sites such as bugtraq http://www.securityfocus.com on a regular and frequent basis and install any approved and necessary security patches relevant to the version of the operating system that you are using. The operating system vendor’s website should also be able to provide instructions on installing the patches and their coverage of vulnerabilities.
c) Ensure that the web server runs with the least privilege needed. The web server should not run as an administrator (including the web server administrator) or superuser (if applicable). In a Unix environment, if superuser privileges are needed to bind to the HTTP port, the binding should be run as the superuser using a set user ID process and all subsequent processes should be run as an unprivileged web user.
d) Do not assign discretionary access control or mandatory access control override privileges to the web user as these can be abused by attackers who manage to gain web user privilege.
e) To ensure that the web server is an unprivileged user, restrict access for the web server user to files and directories relevant to the web server application (which may be the directory structure under the web server root). Check the permissions on all other files and directories on the web server to ensure that the user cannot gain access to any executables or data files that are not needed.
f) If the web server directory structure is not virtual (ie the directories exist within the operating system environment), ensure that access controls are set appropriately on all files and directories relevant to the web server application:
g) In a Unix environment, it may be beneficial to security to run the web server with a redefined root directory using the ‘chroot’ command. In this case do not have any symbolic links to files outside the directory structure that includes directories under the redefined root directory.
h) Enable logging on the operating system so that security-relevant activity is logged. This should be analysed on a regular and frequent basis by organisation’s IT security officer for events indicative of an attack, for instance attempts to access files without the correct permissions. All error messages, application startup and shutdown, attempted remote application logins, and changes in file permissions should also be logged. This can be a complex and expensive activity so it may be considered more practical to use an Intrusion Detection System and analysis of these logs.
i) The web server should be run as a dedicated web server. To decrease the risk of misconfiguration remove all unnecessary executables (including compilers and utility programs) and network services from the web server computer.
j) Remove all unnecessary user accounts from the server and implement passwords for the remaining accounts that are hard to guess and accord with organisation’s security policy for password generation and use.
Information Technology Security Evaluation Criteria [External link]
1.11.6 The security of the local area network of the web server computer
The web server environment extends from the web server computer to its local area network and to the Internet or Intranet environment.
For the security of the local area network of the web server computer, the following steps are recommended:
a) Install a firewall between the web server computer’s local area network and the Internet to handle all traffic to and from the Internet. For web traffic the firewall should deny all unnecessary incoming services and should offer HTTP and possibly HTTPS (X.509 digital certificate compliant Secure Socket Layer over HTTP) for commercial standard IP encryption of web traffic as uninitiated incoming connections. HTTP should be proxied to provide initial validation of the web page request. DNS may be allowed outbound on an unprivileged port to request DNS lookups and should listen on that port for responses. It is recommended that a certified firewall be used. For details of certified firewalls see the IT Security Evaluation and Certification Scheme website.
b) Isolate the web server computer on its own network segment. This may be as a standalone network or on a DeMilitarised Zone (DMZ) that has restricted access to the internal network and in particular to any database server that is used to store sensitive information. If a company does not have a DMZ, the use of a non-routable IP protocol between the web server and the internal network could be considered.
c) Enable logging on the firewall so that security-relevant activity is logged. This should be analysed on a regular basis by the organisation’s IT security officer for events indicative of an attack, for instance, attempts to access services with known vulnerabilities, successful/denied connections, error messages multiple access attempts and access to insecure ports
Information Technology Security Evaluation Criteria [External link]
1.11.7 The security of the ‘backend’ applications supporting the web server
Any supporting ‘backend’ applications (eg databases) should be stored on another computer. Care needs to be taken that the web user account can only perform a specified set of actions on the ‘backend’ applications so that the security of those applications is not unduly compromised. For example, if a database application is used as a read-only source to web users, the web user account should have read only access, while if the database is updated by the web user account via web forms, the web user should be restricted to database update queries. This could be performed by a database application that provides access control by query type and data object (such as database and table) within the database application.
1.11.8 The security of the authoritative domain name server for the web server network
It is possible to change the IP address associated with a website address (URL). When this is done maliciously it is known as domain name server (DNS) poisoning.
To prevent DNS poisoning, the web address registration authority should if possible upgrade the DNS version to the latest version and apply all relevant security patches. DNS server administrators should also if possible configure their servers to check DNS records obtained from an authoritative DNS server by comparing them with those taken from another authoritative server. Authoritative master primary DNS servers should be protected by a firewall. Zone transfers should be restricted from master primary DNS servers to designated slave DNS servers, which preferably should be within the perimeter protected by a firewall. It is recommended that the web server administrator confirm with the administrator of the authoritative DNS server that the protective measures identified above have been taken.
It is also possible for DNS poisoning to be performed manually, in which case the basic security issues are as follows. The web address registration authority for the domain that includes your web server may receive bogus requests to alter the IP address associated with the website URL, by email for example. The organisation’s security officer should satisfy himself or herself that the registration authority has adequate security measures in place to ensure the authenticity of any changes to the IP addresses in their domain. Examples of reasonably secure authentication schemes are digitally signed emails, challenge-response password authentication over the telephone and a recognised signature on official company notepaper that can be verified against ‘signatures held for comparision’
1.11.9 Resources
The IT Security Evaluation and Certification Scheme
The IT Security Evaluation and Certification Scheme
Framework for Information Age Government Security
This document sets security objectives for Information Age government. It assumes that the Internet and other channels such as interactive Digital Television and call centres will be important vehicles of delivery of government services. It reviews the security issues for both internal networks and public systems involved in digital communications.
ISO17799 (BS7799)
This is an international standard that presents a code of practice and requirements specifications for establishing, implementing and documenting the security of information management systems. It is government policy to move to ISO17799 compliance.
www.bsi-global.com/Global/iso27001.xalter [External link]
Computer Emergency Response Team
An organisation can join or create, depending on its size, a Computer Emergency Response Team (CERT). A CERT will provide briefings and emergency alerts.
http://www.cert.org [External link]
UNIRAS
The Unified Incident Reporting and Alert Scheme (UNIRAS) is the CERT for UK Government and trusted suppliers. You can access information about UNIRAS on the Web at:
bugtraq
bugtraq [External link]