Securing your Web server
Since your Web server is the first computer that users access, it is also the first machine you should secure.
Caution: To ensure that your Web server is secure, install the latest security patches for the operating system and the application running the server.For a publicly accessible Web site, you should minimize the other services running on this machine. This provides better security, as the fewer things running on this machine, the fewer things can go wrong or be compromised.
You should also read all the Web server’s documentation that deals with security. Most Web servers ship with most security settings disabled. You should go through all the settings and turn off any Web server features that you do not need.
Hiding your Web server type and version
It is good practice to hide the “brand” and version of your Web server process to make it harder for “script-kiddies” to find out which Web server you are using.
To see how your Web server responds, use a Telnet session to access the port that the Web server is listening to. The default port is 80. The following procedure shows the commands to type. Replace the hostname with your Web server’s name. You might find that when you type GET / HTTP/1.0 it might not be echoed back to you:
|
To check your Web server response: |
In the previous example, you can see that the Web server is Microsoft’s Internet Information Server (IIS) Version 5.1.
If you can modify the HTTP headers, make the Server setting return a generic name, like WebServer. Consult your Web server’s documentation to see if it is possible and how to modify the HTTP headers.
Changing your script directory names
You should not use the standard script directory names. If you have an Apache server, do not use cgi-bin. If you are using Microsoft’s IIS, do not use Scripts. See your Web server documentation for instructions on how to create a different script directory.
Most Web servers also ship with default home pages, as well as demonstration scripts. These generally should be disabled or deleted.
Hiding the CGIIP executable name from the end user
Hiding the WebSpeed Messenger name from the end user also provides a level of security. When you access a WebSpeed application, the URL used will look similar to the following if you are using Windows as the Web server:
If you are using UNIX, then it will look similar to the following:
Using the default names is bad security practice because it lets people know what application server you are using, in this case WebSpeed. For example, if you perform a Google search for wspd_cgi.sh or cgiip.exe, you will find many sites using WebSpeed. Some of these are not securely deployed.
Microsoft IIS
If you are using Microsoft IIS, then WebSpeed includes an example file explaining how you can hide the Messenger’s name. It is called cgiip.wsc and, by default, is located in the C:\InetPub\Scripts directory. It is recommended that you rename the file to something that is meaningful only to you, for example, orders.inet. The extension (.inet) must be an unused extension on your machine. You should also delete the cgiip.exe and wsisa.dll Messenger files in the Scripts directory.
If you open the orders.inet file using a text editor, you will see instructions on how to configure IIS to run this script when it is part of the URL.
Use the extension you have chosen (for example, .inet) instead of the .wsc extension mentioned in the instructions.
At the end of the newly created orders.inet file, change the WebSpeed service name from wsbroker1. For the example above, use Orders.
All lines beginning with # are comments. The only required line is the one that references the service name or host and port of the WebSpeed broker.
Assuming that you have changed the Scripts directory to be web, the URL would become:
If you have more than one WebSpeed service, then you will need a .inet file for each service.
UNIX
There are many different Web servers available on UNIX. To find out which Web servers Progress Software Corporation has tested and certified, search the Knowledge Center. You can access the Progress Knowledge Center from the Support page at http://www.progress.com/support/index.ssp.
Each of these has different configuration instructions. You should read the documentation supplied by the Web server vendor to determine how to enable CGI applications. Rename the Progress-supplied wspd_cgi.sh to something that is meaningful only to you and change the WebSpeed service name from wsbroker1. If you have changed the cgi-bin directory to web and allowed.inet scripts to be run as CGI programs, then the URL you would use is:
Minimizing access to the WebSpeed Messenger Administration tool
If the Messenger Administration tool is enabled, users can see your configuration information. This information can then be used to compromise your application.
To disable this feature, you can do one of two things: either disable the feature totally or allow only “trusted” IP addresses to access the Messenger Administration tool.
To totally disable the feature, edit the ubroker.properties file on the Web server and make sure that the AllowMsngrCmds is set to 0 (zero) in the [WebSpeed.Messengers] section and that it is not overridden in any of the [WebSpeed.Messengers.CGIIP], [WebSpeed.Messengers.WSASP], [WebSpeed.Messengers.WSISA], or [WebSpeed.Messengers.WSNSA] sections.
To allow a list of IP addresses to access the Messenger Administration tool, edit the ubroker.properties file on the Web server and set the AllowMsngrCmds to 1 (one) and the wsmAdmIPList to a comma-separated list of IP addresses that are permitted to access the Messenger Administration tool. This needs to be done in the appropriate Messenger section: [WebSpeed.Messengers.CGIIP], [WebSpeed.Messengers.WSASP], [WebSpeed.Messengers.WSISA], or [WebSpeed.Messengers.WSNSA].
If the Messenger Administration tool is enabled, you can change the default WebSpeed Messenger Error Messages, as described in OpenEdge Application Server: Developing WebSpeed Applications .
You can also verify your WebSpeed configuration. Use the following URLs to see the Messenger Administration tool:
or