By jyri on Apr 25, 2006
"'Best practice' is intended as a default policy for those who don’t have the necessary data or training to do a reasonable risk assessment."
A quote from Prof. Eugene Spafford's recenet article on Security Myths and Passwords.
Unfortunately reality tends to be worse than the quote above - if the best practices were reasonable defaults in the absence of a risk assessment there would be no harm (other than the opportunity cost of allocating resources on the wrong problem). In reality, as you can see if you read Eugene's full article, such mythical best practices can make the overall system security worse through unintended consequences elsewhere. For plenty more accounts on ill-conceived practices you can read Bruce Schneier's Crypto-Gram newsletter.
As web server security is the main topic of my blog, it is useful to learn from these worst practices. Most of my entries focus on the use or configuration of some small piece of the server. However, the security of your system is precisely that - the security of the system as a whole. The attackers will be happy to exploit the weakest link instead of the potential vulnerability you were thinking about.
When securing your web server - or any system - spend time thinking critically on the effect of all policy and configuration changes on the entire system as a whole instead of only on the small piece of the system directly being changed that day.