Re: Web Services Security

[nikhil () niiconsulting com]

Hello Hesh,

Securing Web Services depends on the product your organization has implemented. Like for example the security measures 
for IIS is different than the one used for Apache. 

However general security measures for Web services besides implementing Web service firewall are:

1.      Hide the version number and other sensitive information which the Web server might give out unnecessarily.
2.      Make sure the Web service is not running with administrative privileges but with its own low privilege user 
account and group.
3.      Make sure that files outside the web server's root folder are not accessible.
4.      Directory listing should be denied.
5.      Server side Includes (SSI) and CGI includes should be restricted or disabled totally if not required.
6.      Disable unnecessary modules and extension (like WebDAV or mod_info, mod_cgi etc) if not required at all.
7.      Ensure proper permission and ACLs set on the Web service related folders(typically administrator/root user 
should have Read/Write access and all others should have read-only access).
8.      Enable logging facility and make sure logs are reviwed and worked upon on regular basis.
9.      Ensure that the Web Server is upto-date with the lates patches released by the vendor on timely basis.
10.     Use tools/modules like Microsoft URLScan or IIS Lockdown or mod_security module to ensure proper working and 
maintenance of Web Server.
11.     Protect your Web Server with SSL, if it contains use of credentials or sensitive information like Credit Cards, 
shopping carts etc.

-----
Nikhil Wagholikar

Security Analyst
NII Consulting
www.niiconsulting.com