general web security (was "Compiling CERN httpd...)

To: gj@canarie.ca (G.J.W. Hagenaars)
Subject: general web security (was "Compiling CERN httpd...)
From: dorian@oxygen.house.gov (Dorian Deane)
Date: Thu, 27 Jul 1995 11:59:28 -0400 (EDT)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9507270022.AA25891@tweetie.canarie.ca> from "G.J.W. Hagenaars" at Jul 26, 95 08:22:34 pm

> 
> Question from me: what is involved in setting up virtual web and are
> there any security considerations?

I know people consider this to be a forum for slightly different level
of concern, but I hope my answer to this is an important contribution
nevertheless:

Always assume any publically accessible software you are running is a
threat.  Assume it has an entire stable of Trojan horses hidden
within.  Then, with that in mind, configure your system.  And then
protect the rest of your network from that machine.

If the protections on that system are insufficient to corral the
process in a low-privilege area, don't use that OS.  In Unix,
this means using chroot, setuid(), etc.  I know some NT web servers
install and run as a privileged account by default.  This is
exactly the kind of thing to avoid.

I apologize if this is obvious for readers of this list...

dorian

References:

Re: Compiling CERN httpd with static libs on Sol 2.4

From: gj@canarie.ca (G.J.W. Hagenaars)

Previous: Re: EuroCert
Next: Crypto Law Survey [Xpost from crypto-politics forum]
Index(es):
- Index
- Thread