Heroes Happen Here Launch Events Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server 2008, Microsoft SQL Server 2008, and Microsoft Visual Studio 2008. Register here. »   Install What You Need with Windows Server 2008 Windows Server 2008 is Microsofts most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »   Simplify Big Business IT for Small and Midsize Companies Windows Small Business Server 2008 and Windows Essential Business Server 2008 deliver all-in-one solutions to help fuel growth for customers and partners. »   Q&A with Bob Muglia: Senior VP, Server and Tools Division Bob Muglia, senior vice president, Server and Tools Division, discusses Microsofts new interoperability principles and the steps the company is taking to increase the openness of its products. »   Q&A with Lutz Ziob, GM of Microsoft Learning Lutz Ziob, the general manager of Microsoft Learning, talks about how IT professionals can become certified heroes within their enterprises by getting trained and certified in Windows Server 2008. »

"Long ago and far away
Maxwell felt the need one day
For a Demon, scarce as high
As the atoms going by.
Over heat he gave it sway,
Making warmth go either way
From the vector Nature gave.
Maxwell's Demon, come and save!"
     -- Christopher Stasheff, Her Majesty's Wizard

Chances are that your Web site has at least a few pages that you really don't want published to the Internet at large. How do you keep the Black Hats from seeing them, whilst not impeding the access of the White Hats who need the pages?

What Apache Security Won't Help
At the time I'm writing this (February 2000), there's a lot of current-events news about major Web sites being taken down temporarily by denial-of-service (DoS) attacks. The specific attack type in question cannot be stopped by Apache, even though it may be aimed at the Web site. Apache is just a software application running on the system; these attacks are aimed at the systems themselves. As someone has pointed out, "If you have 1GB/s heading for your server then the pipe is going to saturate before Apache even gets a chance to see the packets."

But for less extreme cases, Apache's implementation of the Web security mechanisms, when properly implemented, should be more than adequate to protect your sensitive pages from exposure.

Assumptions in This Article
For the rest of this article, I'm going to make the following assumptions:

1. your Apache source tree starts at ./apache-1.3/
2. your Apache ServerRoot is /usr/local/web/apache
3. your Apache DocumentRoot is /usr/local/web/htdocs
4. the username under which Apache runs (the value of the User directive in your httpd.conf file) is nobody

All of the cd and other shell commands in this article that refer to directories use these locations.

Next: Mandatory Versus Discretionary Access Control »