Is Your Web Server Secure?

Is your web server secure or are you unknowingly allowing access to all of your personal files?

Most universities in the United Stated provide server space for students and faculty to use for websites, homework, and various other reasons. While a great practice, it also creates very serious security risk when inexperienced computer users and improperly secured web directories meet. Many students use their personal web space to store resumes, pictures of family, class projects and many other personal items that contain very sensitive information. When the student places these files in an unsecured directory, the files are offered up to anyone who happens to browse the folder. Here is an example of what an unsecured Apache Server directory looks like to someone on the internet who is browsing your personal files after a very simple Google search.

Consider the possible ramifications of a student storing pictures of themselves, their resume including home address, phone number and email address. Those ramifications could very serious in today’s society with online predators.

There are a few different ways to combat the problem of open or unsecured directories but the easiest way is a slight modification to the http.conf file for Apache servers. By default Apache servers display the contents of a directory if the server does not find an index.html or similarly associated file. To make the needed correction webmasters should find a line in the http.conf file that looks very similar to this:

Options Indexes FollowSymLinks Includes

Remove the term Indexes. Save the http.conf file and restart your Apache server.

Now when an internet visitor navigates to a directory that doesn’t have an associated DirectoryIndex file the surfer will get a permission denied error instead of a listing of all the files on the server.