You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nathan Ward <nr...@cox.net> on 2003/08/04 17:05:43 UTC
Why integrate Tomcat with a web server?
I have a question for John Turner about a statement in the book Apache Tomcat Security.
Page 12 says:
"As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
Nathan
Re: Why integrate Tomcat with a web server?
Posted by John Turner <to...@johnturner.com>.
In my opinion it applies even moreso to Windows.
If it was my call, I would never, ever use IIS. I would rather use
Tomcat alone on port 80 if Windows was my environment.
Even IIS shouldn't be run with default permissions and access levels.
Granted, changing this is not for anyone who isn't an advanced Microsoft
admin, but that doesn't alter the fact that default configurations from
MSFT, even the new Windows Server 2003, should always be immediately
suspect until proven otherwise. I'm not trying to bash MSFT, just
trying to describe what I consider a best practice.
Security best practice is "deny everything by default, then allow only
what you absolutely need". Translated to server admin, that means
"never run any service that can do anything it wants to do unless there
is no other alternative".
The statement in the book has less "oomph" on Windows because Windows
doesn't have the < 1024 port restriction as does UNIX and Linux. You
can run a service that doesn't have SYSTEM level access on port 80 on
Windows without any additional configuration. This is not true of UNIX
or Linux.
Either way, running services as root or "SYSTEM" in my mind is a bad
idea if there is an alternative. The worst exploit in the world is the
one that nobody knows about except the guy who just found it. Better to
take precautions as much as you can and do the triage up front rather
than after. Avoiding configurations where services have admin access is
just one way to do that, even if on the surface it seems unnecessary.
HTH
John
Nathan Ward wrote:
> I have a question for John Turner about a statement in the book Apache Tomcat Security.
>
> Page 12 says:
> "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
>
> Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
>
> Nathan
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Why integrate Tomcat with a web server?
Posted by John Turner <to...@johnturner.com>.
In my opinion it applies even moreso to Windows.
If it was my call, I would never, ever use IIS. I would rather use
Tomcat alone on port 80 if Windows was my environment.
Even IIS shouldn't be run with default permissions and access levels.
Granted, changing this is not for anyone who isn't an advanced Microsoft
admin, but that doesn't alter the fact that default configurations from
MSFT, even the new Windows Server 2003, should always be immediately
suspect until proven otherwise. I'm not trying to bash MSFT, just
trying to describe what I consider a best practice.
Security best practice is "deny everything by default, then allow only
what you absolutely need". Translated to server admin, that means
"never run any service that can do anything it wants to do unless there
is no other alternative".
The statement in the book has less "oomph" on Windows because Windows
doesn't have the < 1024 port restriction as does UNIX and Linux. You
can run a service that doesn't have SYSTEM level access on port 80 on
Windows without any additional configuration. This is not true of UNIX
or Linux.
Either way, running services as root or "SYSTEM" in my mind is a bad
idea if there is an alternative. The worst exploit in the world is the
one that nobody knows about except the guy who just found it. Better to
take precautions as much as you can and do the triage up front rather
than after. Avoiding configurations where services have admin access is
just one way to do that, even if on the surface it seems unnecessary.
HTH
John
Nathan Ward wrote:
> I have a question for John Turner about a statement in the book Apache Tomcat Security.
>
> Page 12 says:
> "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
>
> Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
>
> Nathan
>
Is this possible to use Tomcat realms if...
Posted by Daniel Kowalik <da...@reuters.pl>.
Hi,
...If tomcat is running behind apache httpd? I just want to get rid of
.htaccess files.
Bests
daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Is this possible to use Tomcat realms if...
Posted by Daniel Kowalik <da...@reuters.pl>.
Hi,
...If tomcat is running behind apache httpd? I just want to get rid of
.htaccess files.
Bests
daniel