1 Introduction
With the widespread adoption of the Internet, people are relying on it more and more. However, due to the Internet's openness and inadequate design considerations for information security and system security, network attacks and sabotage incidents are rampant, causing significant disruption to people's daily lives and economic activities. As the most widely used service on the Internet today, the frequent hacking incidents involving Web sites have brought new challenges to Web security to the forefront of public attention.
2. Security Threats of the Web
Security threats and attacks from the internet are diverse. Based on the structure of web access, they can be classified into three categories: security threats to web servers, security threats to web clients, and security threats to communication channels.
2.1 Security Threats to Web Servers
Vulnerabilities can exist in web servers, server operating systems, and database servers, and malicious users can exploit these vulnerabilities to obtain sensitive information. Web server vulnerabilities can be considered from the following aspects:
2.1.1 Confidential files or important data (such as files containing usernames and passwords) on a web server are placed in an insecure area and can be easily obtained after an intrusion.
2.1.2 Valuable information stored in a web database (such as trade secrets, user information, etc.) can be easily leaked if the database security is not properly configured.
2.1.3 Web servers themselves have some vulnerabilities that can be exploited by hackers to intrude into the system, destroy important data, or even cause system paralysis.
2.1.4 Programmers' intentional or unintentional omissions of bugs in the system create opportunities for malicious hackers. This includes inherent vulnerabilities in programs written using CGI scripts.
2.2 Security Threats to Web Clients
Dynamic content on web pages is now widely used, and its insecurity is a major threat to client-side applications. Dynamic content refers to programs embedded in static web pages that are transparent to the user. These programs can perform actions such as displaying animated images, downloading and playing music and videos. When a user views a web page with dynamic content, these applications are automatically downloaded and run on the client machine. If these programs are maliciously used, they can steal, alter, or delete information on the client machine. This primarily utilizes Java Applets and ActiveX technologies.
Java Applets are developed using the Java language and downloaded with web pages. Java uses a sandbox to restrict the activity of Java Applets according to the rules defined in security mode. It prevents Java Applets from accessing program code outside the defined security scope of the system. However, Java Applets do contain security vulnerabilities that can be exploited for malicious purposes.
ActiveX is a Microsoft control technology that encapsulates programs that web designers place in web pages to perform specific tasks. It can be developed in various languages supported by Microsoft but only runs on the Windows platform. ActiveX is less secure than Java Applets; once downloaded, it can execute like any other program, accessing all system resources, including operating system code, which is extremely dangerous.
Cookies were developed by Netscape to improve the stateless nature of HTTP. This stateless nature makes it difficult to create things like shopping carts that need to remember user actions for a certain period. A cookie is essentially a small message sent by the HTTP server to the browser on the first connection. Subsequent connections send a copy of this cookie back to the web server, which uses it to remember the user and maintain a process image across multiple pages. Cookies cannot be used to steal information about the user or their computer system; they can only store user information to a certain extent, such as computer name, IP address, browser name, and the URL of the visited webpage. Therefore, cookies are relatively secure.
2.3 Security Threats to Communication Channels
The Internet, the communication channel connecting web clients and servers, is inherently insecure. Sniffing programs like sniffers can eavesdrop on this channel, stealing confidential information and posing a security threat to confidentiality. Unauthorized users can alter the content transmitted through the channel, compromising information integrity. Furthermore, denial-of-service attacks can send a large number of requests to a website server, causing it to crash due to insufficient response time, or send massive amounts of IP packets to clog the communication channel, slowing down the network.
3 Web security protection technology
3.1 Security Protection for Web Clients
Web client protection measures focus on safeguarding the security of web application components, strictly restricting the download and execution of programs locally. This can be achieved through browser settings; for example, in Microsoft Internet Explorer, disabling Java-related options in the Advanced window of Internet Options. In the Security window, select Custom Level and disable ActiveX component-related options. In the Privacy window, select the required Cookie level, or delete all cookie-related files under windowscookie as needed.
3.2 Security Protection of Communication Channels
For protecting communication channels, in environments with high security requirements, the HTTPS protocol can be used instead of the HTTP protocol. The Secure Sockets Layer (SSL) protocol ensures secure file transmission. SSL establishes a secure communication channel between the client browser software and the web server, achieving confidentiality and integrity of information transmitted over the Internet. However, SSL can cause some performance degradation for the web server.
3.3 Security Protection for Web Servers
Limit the number of accounts on the web server, and impose requirements on the password length and regular changes of accounts created on the web server to prevent misuse.
Web servers themselves may have some security vulnerabilities, requiring timely version upgrades and updates.
Try to separate email, database, and other servers from web servers, and remove irrelevant network services.
Remove unused interpreters such as SHELL from the web server.
Regularly review the server's log files and analyze any suspicious events.
Configure the permissions and attributes of the system files on the web server.
By restricting access to user IPs or DNS.
From a CGI programming perspective, security is paramount. Using compiled languages is generally safer than interpreted languages, and CGI programs should be placed in a separate CGI-BIN directory, independent of the HTML files.
4. Application of Web Server Security Protection Strategies
This section uses the widely used Windows 2000 platform and IIS web server as examples to briefly describe the application of web server-side security protection strategies.
4.1 Security Strategies for System Installation
When installing Windows 2000, avoid installing unnecessary services and protocols, as some services may have vulnerabilities, and unnecessary protocols will consume resources. After installing Windows 2000, be sure to install Patch 4 (W2KSP4_CN.exe) immediately and install antivirus software.
4.2 Configuration of System Security Strategy
Local security policies can be used to restrict anonymous access to local users and remote user access to the CD-ROM or floppy drive. Group policies can be used to restrict remote user desktop sharing with Netmeeting and restrict users from performing Windows installation tasks.
4.3 Application of IIS Security Policies
When configuring Internet Information Services (IIS), do not use the default website and delete the default virtual directory mappings; create a new website and set permissions for the home directory. Generally, it should be configured so that the site administrator and Administrator users have full control, while other users can read files.
4.4 Configuration of Audit Log Policy
When a new problem occurs in Windows 2000, analyzing the system logs can reveal the system's operational status before the failure, serving as a basis for determining the cause of the problem. Generally, it's necessary to configure commonly used user login logs, HTTP logs, and FTP logs.
4.4.1 Set up login audit log
Audit events are categorized into success events and failure events. A success event indicates that a user has successfully obtained permission to access a resource, while a failure event indicates that the user's attempt has failed.
4.4.2 Setting up HTTP audit logs
In the "Internet Services Manager", select the properties of the website and configure the log properties. You can modify the log storage location as needed.
4.4.3 Setting up FTP audit logs
The setup method is basically the same as for HTTP. Select the FTP site, configure its log properties, and then change the log storage location.
4.5 Security Strategies for Webpage Publishing and Downloading
Because web pages on a web server require frequent modifications, a comprehensive maintenance strategy is essential to ensure the server's security. Some administrators use shared directories for downloading and publishing web pages for convenience, but this method is highly insecure. Therefore, all shared directories should be disabled on the web server. Web page updates should be performed via FTP, with "read" and "write" permissions granted to the FTP site. In the "Directory Security" settings of the FTP site, enter the IP address of the management and maintenance workstation in the "Deny Access" dialog box to restrict access to the FTP site to only specified computers, allowing them to perform read and write operations only on the site's directory.
5. Conclusion
By discussing web security threats and specific web security protections, this article aims to provide users with guidance in the process of safely browsing the internet or configuring web server security.
References
1 Zhang Guoxiang. Research on the application of Web security technology based on Apache [J]. Journal of Wuhan University of Technology, 2004, (3).
2. Application of SSL in web security [J. Information Network Security, 2004, (6).
