May 16, 2005

Apache 2 safe config on W2K

For testing purposes I have found it convenient to install the free Apache 2 web server software atop Windows 2000 and XP. Apache 2 normally run as a service atop Windows, and almost any tech knows that adding services to Windows can become a security risk. This little summary attempts to address that concern.

First, make sure the target Windows 2000 (or later) system starts out clean of other services. That is, disable anything else that might otherwise pose a risk, including IIS, FTP, Telnet, etc. Starting clean can simplify troubleshooting in the unlikely event that these techniques do not help protect your system.

Once you system is clean, login as a local Windows administrator and run teh latest apache2[xxx]nossl.msi, from our K: drive or web download, with defaults. This will install Apache onto your Windows PC with default settings. If the PCís name matches what the University thinks it should be in DNS, you will be able to reach your server by name. If you have no valid DNS name or donít know it, donít worry. You can still use the IP address of the PC.

Near the end of the Apache install you may have the opportunity to edit the Apache configuration file:

C:\Program Files\Apache Group\Apache2\conf\httpd.conf

Take it. If you miss the opportunity, open the file with Notepad. In this file you should be able to seek and find the line shown blow. Beneath that are entries controlling who can connect to your new Apache server. Change those lines as needed. For example:

# Controls who can get stuff from this server.
# UPDATED on [date] by [your name]
#
order deny,allow
deny from all
allow from 160.94.236.128/25
allow from 160.94.237.128/25
allow from 160.94.141.128/26

then save the file. Now, to activate the changes, stop and restart the Apache service. You can either do this through Start -> Settings -> Control Panel -> Administrative Tools -> Services or by right-clicking the Apache icon by your desktop clock, opening the Apache Service Monitor, clicking Stop, waiting a minute, then clicking Start. Either way, the modified httpd.conf file should now be active.

The IP entries in this Biomed-specific example indicate three partial subnets: 236.128-236.254, 237.128-237.254, and 141.128-141.192. I excluded the Tech Services partial subnet so I could use one such PC to verify that outsiders are blocked. To allow Tech Services in as well, add ďallow from 160.94.141.192/26Ē as a fourth exception to the deny all, save the change, and restart the service again. You can narrow the list of allowed IP address to a single subnet, or even a few specific address by excluding the part after the slash.

This is a very simple and limited approach to security, not a proper firewall. It only protects Apache, ignoring any other services you might have installed, so be careful about what extras you add. That said, this can be a great way to experiment with technologies like HTML, XHTML, PHP, Perl, access controls, and a hundred other Apache-specific technologies. The inner workings of the Apache server are nearly identical on Windows and UNIX, so understanding Apache on Windows can give an idea of how some of our production web services work.

Posted by tapli005 at May 16, 2005 9:10 AM