Course 754:
Web Security Foundations

(4 days)

 

Course Description

In this advanced hands-on course, students will learn to enhance security on Web Servers. Students will experience different types of vulnerabilities and the technologies necessary to minimize Web Server exposure. Topics such as Cryptography, Digital Certificates, Public Key Infrastructure (PKI), Service and Application Security, Spyware/Malware, Network Monitoring, and basic Firewall/Proxy Server configuration will be discussed and practiced.

Who Should Attend

This will benefit security administrators, system administrators, network administrators, Web developers, and managers who need to understand how security affects the Web Server platforms on corporate networks.

Suggested Prerequisites

  • Experience with Windows, UNIX, or Linux Operating System Management
  • Experience with Internet Information Server or Apache
  • Ability to read/write basic HTML

Course Outline

Chapter 1: Security Fundamentals

  • Areas of Security: OS, Services, Local and Network Applications, Networking Protocols
  • Workshop: How Good Is Security Out-of-the-Box? Testing with Nessus and NMAP
  • Cryptography Primer: Symmetric, ASymmetric, and Hashing Algorithms
  • Digital Certificates and Public Key Infrastructure
  • Workshop: Digital Signing and Encryption Workshop

Chapter 2: Installing a Web Server

  • Internet Information Server
  • Apache Web Server
  • Workshop: Installing Internet Information Server or Apache
  • Testing Web Server Security
  • Configure Access Logging
  • Workshop: How Good Is Security Out-of-the-Box? Testing with Nessus and NMAP

Chapter 3: Operating System Security

  • System Services: Mapping to Executables/Processes/Port Usage
  • Workshop: Removing Non-Essential Services
  • Authentication between the Web Server and Operating System
  • Web Server to File System Security
  • Workshop: Establishing Web Server to Operating System Security

Chapter 4: Network Security

  • Monitoring Your Network
  • Common Port Usage and Application Identification
  • Workshop: Network Monitoring with Ethereal
  • Defending a Web Server with a Firewall
  • Demonstration: Configuration of a Firewall to Defend a Web Server
  • Defending a Web Server with a Proxy Server
  • Workshop: Configure a Software Proxy Server for Defense

Chapter 5: Understanding Browser to Web Server Communication

  • Monitoring Application Access
  • Workshop: Viewing All Files Used by Applications
  • Web Browser (Internet Explorer, Netscape and Firefox) Security
  • Active Components Presented through Web Browsers
  • Workshop: Defining and Controlling Web Browser Configuration
  • Malware/Spyware
  • Workshop: Detecting and Removing Malware/Spyware

Chapter 6: Securing Web Servers with Cryptography

  • Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
  • Certificate Authorities (CA) and Public Key Infrastructure (PKI)
  • Using SSL/TLS on a Web Server
  • Workshop: Requesting a Digital Certificate from a CA and Enable SSL/TLS
  • Distributing Trust in an Enterprise
  • Installing a Certificate Authority
  • Workshop: Install a Root Certificate Authority and Issue Certificates

Chapter 7: Processing Data on a Web Server

  • Understanding Technologies for Server-Side Processing
  • Examining Risks of CGI, ASP, Server-Side Includes, and Other Server-Side Scripting
  • Workshop: Implement Server-Side Scripts
  • Techniques for Secure Web Coding
  • Running Active Components on Web Servers
  • Connecting Databases to Web Servers
  • Workshop: Establish a Connection from a Web Server to a Back-End Database

Chapter 8: Putting It All Together

  • Review of Key Concepts
  • Workshop: Audit and Secure a Web Server

 *Attendees will be presented with a Windows 2003 Server running IIS or a Linux Server running Apache with multiple security issues. Students must successfully repair the problems and minimize security vulnerabilities.

Please Contact Your ROI Representative to Discuss Course Tailoring!