When Less is More
In the course of our website work, and higher education sites in particular, we have discovered that there is relatively little interest in housekeeping and general maintenance. As a result, we find plenty of examples of practices that can be improved. One practice we run across repeatedly is disclosing too much web server installation information and potentially revealing that a server is running on a dated software release.
Limiting the information disclosed by a server, doesn't reduce any vulnerabilities, but it does make the task of attacking the server slightly more difficult and may encourage a potential attacker to move on to an easier target elsewhere. What does reduce vulnerability is prompt installation of updates and patches.
To better understand the current state of higher education web servers we took a look at the servers being used by a group of just over 200 Canadian post-secondary education websites.
Our objectives were threefold:
- We wanted to establish if the higher education web server software population mirrors that of the wider Internet: a mix of Apache, Microsoft IIS and nginx;
- Focusing on good housekeeping practices, we wanted to determine the degree to which these servers disclose too much information about themselves;
- And, as a final housekeeping exercise we wanted to understand the extent to which servers are being maintained on current software releases.
We used our Site Info service to read the server details for the home page url for each of the sites in the survey group. In practice, many sites run on multiple servers, as well as using external servers to deliver media files and other content. We are able to identify all of these, but we focused our study on a site's primary server. And to be clear, we only examined ‘outward facing data’: data visible to any browser sending an enquiry to the relevant page. We did not attempt to test or probe or evoke non-standard responses from these servers. A typical web server response looks like this [not from a server in our test group]:
You will note that on lines three and four the server discloses the variant of Apache installed, the current release level and the implementation of SSL being used to provide HTTPS connections.
Our first observation is that higher education websites mimic the software implementation profile practices of the wider Internet. Our results show that the servers are clustered into three main groups: versions of Apache, different releases of Microsoft IIS and versions of nginx. We placed the balance of the sites into a fourth group, sites that take great care to mask their server identify or sites that have made an idiosyncratic web server choice.
Furthermore, a high proportion of the servers we surveyed provide verbose HTTP header responses. In other words, an enquiry yields a response as shown above rather than a terse, "Apache", Microsoft "IIS" or "nginx", response.
Of slightly more concern is that the web servers providing prima facie details of their current installed release suggests that a high proportion of Apache servers need to be brought up to a more current software release. There are many reasons to explain why servers are on their found release levels, but as the caption to Graph 3 indicates, some reported releases are years behind the current stable Apache release.
Our first hypothesis seems supported by the evidence we uncovered: higher education institutions have made similar web service choices to other organisations on the Internet. This is hardly a surprising conclusion. While only a minor hold up to a determined attacker, masking the server details might encourage potential attackers to go elsewhere - and about 40% of the post-secondary education web servers we surveyed have taken this approach. We encourage the balance to do the same.
It is much harder to draw firm conclusions about patch and release management practices from our survey, but the evidence suggests that some sites are slow in upgrading. We understand the complexities of upgrading production servers, particularly in a multi-server environment. But, prompt application of software releases can be an effective part of protecting a web server from attack.