1
Module 2:
The Web Server
2
Overview
• The Web Server
• Overview of IIS
• Overview of Apache
Web Server Defined
Web server is a computer program that delivers (serves) content such as web
pages, using the Hypertext Transfer Protocol (HTTP), over the World Wide Web.
Web Server Market Share
Developer
Apache
October 2010 Percent November 2010 Percent Change
135,209,162 58.07%
148,085,963 59.36%
1.29
Microsoft
53,525,841 22.99%
56,637,980 22.70%
-0.28
nginx
14,130,907
6.07%
15,058,114
6.04%
-0.03
Google
14,971,028
6.43%
14,827,157
5.94%
-0.49
lighttpd
1,380,160
0.59%
2,070,300
0.83%
0.24
Market Share for Top Servers Across All Domains
as of November 2010 source: netcraft.com
Web server Common features
• Virtual hosting
• Large file support
• Bandwidth throttling
• Server-side scripting
7
Internet Information Services (IIS)
• Overview of IIS
• IIS Features
• IIS Authentication
• The .Net Framework
• ASP.Net
8
IIS 7 Overview
• Complete redesign and rewrite of IIS,
• Shipped with Windows Vista and Windows Server 2008.
• Includes a new modular design that allows for a lessened attack surface
and increased performance.
• Introduces a hierarchical configuration system allowing for simpler site
deploys
• New Windows Forms based management application
• New command line management options
• Increased support for the .NET Framework
• IIS 7.0 on Vista does not limit the number of allowed connections as IIS on
XP did
IIS Features
IIS 7.5 Supports the following features
•
•
•
•
•
•
HTTP - Hyper Text Transfer Protocol
HTTPS - Hyper Text Transfer Protocol Secure
FTP – File Transfer Protocol
FTPS – File Transfer Protocol Secure
SMTP – Simple Mail Transfer Protocol
NNTP – Network News Transfer Protocol
10
IIS Request Processing
15
IIS Authentication
IIS 5.0 and higher support the following authentication mechanisms:
• Basic access authentication
• Digest access authentication
• Integrated Windows Authentication
• .NET Passport Authentication (not supported in Windows Server 2008 and
above)
IIS 7.5 includes the following additional security features:
• Client Certificate Mapping
• IP Security
• Request Filtering
• URL Authorization
16
Introduction to the .Net framework
The .NET Framework is:
• Common Language Runtime – provides an abstraction layer over the
operating system
• Base Class Libraries – pre-built code for common low-level programming
tasks
• Development frameworks and technologies – reusable, customizable
solutions for larger programming tasks
17
Introduction to the .Net Framework cont.
The .NET Framework allows you to:
• Apply common skills across a variety of devices, application types, and
programming tasks
• Integrate with other tools and technologies to build the right solution with
less work
• Build compelling applications faster
18
Components of the .NET Framework
Visual C#
Visual
Basic
ADO.NET
Visual J#
ASP.NET
Visual
C++
JScript
ThirdP
arty
User Interfaces
.NET Framework Class Library
Common Language Runtime
IIS and ASP.Net
IIS Versions
Almost every version of IIS was released either along or with a version of
Microsoft Windows operating system with the exception of IIS 1.0 which was
initially released as a free add-on for Windows NT 3.51.
• IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition
• IIS 7.0, Windows Server 2008 and Windows Vista (Home Premium,
Business, Enterprise, Ultimate Editions)
• IIS 7.5, Windows Server 2008 R2 and Windows 7
Common Security Threats in IIS
• IIS is plagued with buffer overflows
• Inability to properly filter requests
To Fix Common Threats
• You should configure the URL Scan filter to reject maliciously formed
HTTP requests
• Change the ISAPI extensions, such as .htr, .idq, .ism, and .printer
• Don’t install samples or remote administrations tools on new installs
• Only installed modules required by your application
Process for Securing Web Sites and Applications
32
Overview of Apache
Overview of Apache
• Apache HTTP Server, commonly referred to as Apache is web server
software
• Played a key role in the initial growth of the World Wide Web
• Apache is developed and maintained by an open community of
developers under the auspices of the Apache Software Foundation
Overview of Apache
• Since April 1996 Apache has been the most popular HTTP server
software in use
• As of November 2010 Apache served over 59.36% of all websites and
over 66% of the million busiest
• The majority of web servers using Apache run a Unix-like operating
system
Apache Features
• Apache supports a variety of features, many implemented as compiled
modules
• The modular nature allows you to only install and activate needed
modules
• The following core modules are required:
Module
Description
core
Core Apache HTTP Server features that are always available
mod_access
Access control based on client hostname, IP address, or other characteristics
of the client request
mod_auth
User authentication using text files
mod_dir
Provides for "trailing slash" redirects and serving directory index files
mod_log_config Logging of the requests made to the server
mod_mime
Associates the requested filename's extensions with the file's behavior
(handlers and filters) and content (mime-type, language, character set and
encoding)
36
Virtual hosting
• For example, one machine with one Apache installation could
simultaneously serve www.example.com, www.test.com, test47.testserver.test.com, etc.
• Apache features configurable error messages
Apache Features
• Some common language interfaces support Perl, Python, Tcl, and PHP
• Popular authentication modules include mod_access, mod_auth,
mod_digest, and mod auth_digest, the successor to mod_digest
Apache Web server
Apache System Requirements
• Java 1.4.x or greater.
• ANT 1.6.3 or greater.
• JUnit 3.8.2 if you wish to run the unit tests.
• CPU, Disk and Memory requirements are based on the many choices
made in implementing Lucene
Common Security Threats Apache
• Keep up to Date
• Permissions on Server Root Directories
• Server Side Includes
• Protect Server Files by Default
• Watching Your Logs
• Protecting System Settings
Typical Attack Process
Reduce the Attack Surface
51
Review
• The Web Server
• Overview of IIS
• Overview of Apache
52