Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don’t think your server is necessarily secure after following these suggestions.

Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

First, make sure you’ve installed latest security patches

There is no sense in putting locks on the windows, if your door is wide open. As such, if you’re not patched up there isn’t really much point in continuing any longer on this list.

Hide the Apache Version number, and other sensitive information.

By default many Apache installations tell the world what version of Apache you’re running, what operating system/version you’re running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.

There are two directives that you need to add, or edit in your httpd.conf file:

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

If you’re super paranoid you could change this to something other than “Apache” by editing the source code, or by using mod_security (see below).

Make sure apache is running under its own user account and group

Several apache installations have it run as the user nobody. So suppose both Apache, and your mail server were running as nobody an attack through Apache may allow the mail server to also be compromised, and vise versa.

User apache
Group apache

Ensure that files outside the web root are not served

We don’t want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web), you would set it up as follows:

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>
<Directory /web>
  Order Allow,Deny
  Allow from all
</Directory>

Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

Turn off CGI execution

If you’re not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Options -ExecCGI

Don’t allow apache to follow symbolic links

This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks

Options -FollowSymLinks

Turning off multiple Options

If you want to turn off all Options simply use:

Options None

If you only want to turn off some separate each option with a space in your Options directive:

Options -ExecCGI -FollowSymLinks -Indexes

Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

AllowOverride None

If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

AccessFileName .httpdoverride
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Run mod_security

mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O’Reilly press.

You can do the following with mod_security:

• Simple filtering
• Regular Expression based filtering
• URL Encoding Validation
• Unicode Encoding Validation
• Auditing
• Null byte attack prevention
• Upload memory limits
• Server identity masking
• Built in Chroot support
• And more

Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don’t need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:

grep LoadModule httpd.conf

Here are some modules that are typically enabled but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

Make sure only root has read access to apache’s config and binaries

This can be done assuming your apache installation is located at /usr/local/apache as follows:

chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

Lower the Timeout value

By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

Timeout 45

Limiting large requests

Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.

A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:

LimitRequestBody 1048576

If you’re not allowing file uploads you can set it even smaller.

Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs. See the documentation for more info.

Limiting the size of an XML Body

If you’re running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBody directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you’re using WebDAV to upload large files, but if you’re simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:

LimitXMLRequestBody 10485760

Limiting Concurrency

Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn’t have enough memory to handle a large number of concurrent requests.

Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.

Restricting Access by IP

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:

Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

Or by IP:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Adjusting KeepAlive settings

According to the Apache documentation using HTTP Keep Alive’s can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.

KeepAlive’s are turned on by default and you should leave them on, but you may consider changing the MaxKeepAliveRequests which defaults to 100, and the KeepAliveTimeout which defaults to 15. Analyze your log files to determine the appropriate values.

Run Apache in a Chroot environment

chroot allows you to run a program in its own isolated jail. This prevents a break in on one service from being able to effect anything else on the server.

It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration:

SecChrootDir /chroot/apache

There are however some caveats however, so check out the docs for more info.

Acknowledgments

I have found the book Apache Security to be a highly valuable resource for securing an apache web server. Some of the suggestions listed above were inspired by this book.

Now what do we do?

Apply a tried and true multi phase approach .. assess current state, determine desired target state, perform a gap analysis, implement improvements based on priority. Basically we need to establish current state, determine what future state should be, and use the gap analysis as the deliverables of the IT security program. There may be many trade-offs that are made due to limiters like political challenges, funding constraints and difficulty in changing corporate culture. The plan you build with the business gives you the ammunition needed to persuade all your stakeholders of the value in the changes you’ll be proposing.

1. Understand the Current Environment

For a manager or enterprise architect to determine where to start, a current state must be known. This is basically an inventory of what IT security controls, people and processes are in place. This inventory is used to determine what immediately known risks and gaps from relevant security control frameworks exist. The known risks and gaps gives us a starting point to understand where impacts on the business may originate from.

Take the opportunity to socialize foundational security concepts with your new business owners and solicit their input. What are the security related concerns they have? If there has been any articulation of Strengths, Weaknesses, Opportunities, and Threats (SWOT), obtaining that review can also give you an idea of weaknesses or threats that are indicative of missing controls. In the discussions with your new constituents, talk to the infrastructure managers and ask them what security related concerns keep them awake at night – there is likely some awareness but they don’t know how to move forward. Keep in mind most organizations will want a pragmatic approach versus an ivory tower perfect target state.

Some simple questions can quickly give you a picture of the state of security controls. For example, in organizations I’ve worked with, the network administrators could not provide me a complete “layer three” diagram – a diagram that shows all the network segments and how they hang together. It wasn’t that they didn’t want to, the diagrams simply didn’t exist. With over 1,500 network nodes over two data centers and two office complexes, the network group had the topology and configuration “in their heads”. Obvious weaknesses and threats include prevention of succession planning or disaster recovery, poor security transparency, and making nearly any change to the environment higher risk than necessary.

Another example is an organization that had weak asset control. At any point in time it was nearly impossible to determine if unauthorized network nodes existed, since the workstation, notebook, server, virtual machine, switches, firewalls, printers and any other network connected equipment were tracked separately, if at all. No regular audits were performed to reconcile what the organization had purchased was actually what was connected to their networks. This points to weak change control and weak asset control. Without strong asset control, it is difficult to offer assurance to the business owners that serious vulnerabilities have been mitigated to a level they can accept.

Ensure you’re asking questions that will allow you to develop future metrics, such as:

• Do security controls that are in place generate measurable performance statistics?
• How many user accounts are added, disabled, deleted per day/week/month/quarter?
• What volume of inbound email is spam/malware?
• Does the operations team have baselines of normal network, system, application activity?
• Profile of user accounts – how many are inactive (say 90 days)
• How automated is the new hire, dehire, change process? Is there room for manual error?
• How many administrator accounts are there (percentage of all accounts)
• What degree of individual user accountability is there? Are there signed acceptable use agreements?
• Are there accurate network topology and security zone as-built diagrams?
• Is there clear segregation of assets that contain high value data?
• Are content filtering and malware controls deployed?

All these identified issues can then be dropped into a mind map or even a spreadsheet to visualize the highest risks. More on this in a minute.

2. Determine Target State

Next there must be a clear understanding of business goals, since IT (and IT security) always needs traceability back to the goals of a business. Application of good architecture practice then leads to being able to generate a ‘future state’ and a gap analysis. You don’t have time for a full heavy weight analysis, so a good place to start here is to identify what external regulatory compliance mandates exist – there likely are multiples. For example, financial integrity and reporting requirements (SOX / CSOX / JSOX / GLB / Basel / PCI-DSS), privacy (CA-SB-1384, PIPA), critical infrastructure (NERC CIP), government IT systems (FISMA), and health records (HIPAA). Over and above the external regulatory requirements, there may also be a requirement for voluntary or internal compliance mandates, such as corporate policy compliance.

Keep in mind that where a framework like ISO 27002 or NIST SP 800-53 is used, there may be some latitude. For example, your organization may decide that some controls in the framework are not applicable, and exclude them.  So a “C” or “C+” may be as good as your organization wants to get. That’s ok, as long as it’s a concerted decision and you can still hit your mandatory targets.

This is an area where there may a need for substantial effort, so using a common security control framework like ISO 27002 or NIST 800-53 can give a somewhat logical progression of capability maturity that you can build on to close the gaps and start to get a better foundation in place that allows your IT security program to be sustainable. The other benefit to getting to know a good framework is that many compliance mandates are attainable by using the controls in these frameworks – although you may need to adjust a little here or there. The frameworks also act as a checklist for areas to ensure are addressed adequately for your organization.

While using your chosen control framework, also consider a capability maturity level, such as what is outlined in the Carnegie Mellon software Capability Maturity Model (CMM). Where you find deficiencies, choosing controls and configurations that phase in a new control gradually over some predetermined period of time versus expecting a sudden transition from low capability to high capability allows the organization to adapt and culturalize the new controls.

I would suggest using the control framework categories so you can cross reference the issues you’ve uncovered to controls in the framework – you’ll use this to help triage what needs to be focused on first, while helping to capture that data in a way you’ll use for the long term plan.

3. Assess Highest Risks and Identify Operational Wins (gap analysis)

A successful security plan includes executive endorsement of policy, standards, procedures and guidelines. That said, start with the highest risks you identified in step one. Especially the risks that have simple or inexpensive controls that would work. Remember to integrate metrics where possible to enable feedback and improvement. See www.securitymetrics.org for examples of good metrics.

Ensure you are improving:

• Situational awareness (logging, monitoring, reporting and visibility)
• Response capability to Computer Security Incidents
• Long term security controls (build the foundation so you’re not always fighting fires)

There are several assessment methodologies available, including the NSA IAM, Canadian RCMP TRA and Open Source Risk Assessment toolkits and methodologies.

4. Implement Controls to Mitigate Risks

Long term you want to introduce a way to reduce the daily crisis response, by building up the foundational maturity of the organization’s security controls. Short term you need to get some of the major issues and exposures fixed.

Finally changes to process and possibly organization can complete the ability of IT security to stay evergreen (sustainable). Once you’ve made some changes to the environment, it’s important to ensure there is management metrics and process implemented to sustain the changes you’ve made. For instance, if an asset inventory has been done, the value of that goes out the window if there is no measurable, enforceable process to keep the inventory accurate.

Work the evaluation process with your stakeholders and senior management to ensure you are building your roadmap with their support. Laying out a long term plan and showing where you are in the plan will allow you to get increased executive buy-in for more expensive and possibly organizational changes.

You will find that the focus on issues, from whatever source they have been discovered (Architecture Assessments through actual Security Incidents), will tend to be on the highest criticality. This will result in projects or funding for efforts to close a particular issue or exposure – but still results in fire-fighting. You need over the term of your 90 days to ensure you socialize the IT Security Program framework that includes short-term fire-fighting (Urgent) -AND- long term (Foundational) work. This is more than a simple compliance mandate, since companies can be fully compliant with all regulatory mandates, but still get pwned. A rational application of a framework like ISO 27002 or NIST SP 800-53 can result in compliance success and good security.

You will be presented with “stakeholders” that insist on massively grand Total Cost of Ownership (TCO) or foundational Security Policy work, but you must resist such efforts that will undermine and ultimately defeat good security.

This is a plan that I’ve found helpful to survive the first 90 days and possibly build and maintain a positive working relationship with your senior management as they see value in the IT security program. At that point you will have an IT security program that actually works for the organization and is cost effective.

5. Publish a Schedule of Audits

Once some of the foundational controls are in place, gain acceptance and buy-in from your constituents through the use of a well known internal audit schedule. This will help to confirm the effectiveness of steps 1 through 4 and helps in reducing the amount of effort required to perform audits for regulatory mandate compliance proof. In some cases, you may be able to combine these audits, although what you are trying to do here is ensure all the controls you have put into place are functioning as expected, while external audits may not go that deep.

Once you have these steps in place, your security posture will improve and you will experience less fire-drills around suspected incidents.

Assessment / Attack Tools

Web Application Attack and Audit Framework (w3af)  w3af.sourceforge.net

IBM Rational AppScan  www-01.ibm.com/software/awdtools/appscan

Samurai Web Testing Framework samurai.inguardians.com

Visualization Tools

SecViz Security Visualization (davix) www.secviz.org/node/89

Password Tools

L0phtcrack  www.l0phtcrack.com

Forensics

V3RITY Oracle Database Forensics (www.v3rity.com/v3rity.php)  – "V3RITY is a tool that can be used in an Oracle forensics investigation of a suspected breach. It is the first of its kind and is currently in the beta stages of development."

Connect to the database via your favorite GUI (phpMyAdmin, Navicat) or command line with either the WordPress role account or any other MySQL user account with select and update privileges on the WordPress database:

update wp_x_users set user_pass = MD5('123abc890') where user_login = 'administrator';

This will update the password for user ‘administrator’ to ’123abc890′.  Once this has completed, either flush the wp_x_users table or exit the tool used to access the database to cause the updates to be committed.  Sign into WordPress with the new password and optionally change the password via the user interface.

This is too fine for words.

After working through successively newer notebooks (iBook, PowerBook, MacBook Pro), I have recently upgraded my first gen MacBook Pro to a new uni-body MBP. All the way through the online store (with the complication of being a grad student and navigating the education part of the online store), the process was pretty painless. But the real wow was when my new MBP showed up three weeks ago and I decided to use the Migrate function to just suck the contents of my old MBP to my shiny new uni-body MBP (thanks for the encouragement, Jonathan). I figured since I didn’t have the time or energy to setup another computer from scratch, I would try this migrate feature – with a heavy dose of battle earned skepticism. When I turned on the power on my new MBP, it seamlessly guided me through the setup .. and asked me if I wanted to migrate from an existing Mac or even a TimeMachine backup of a Mac.  I said yes, hooked the old and the new together .. fully expecting this to not end well and have to restart some install process.  Well a little while later, the migrate was done .. I restarted my new MBP (didn’t have to), and it looked exactly like my old MBP. All of my Applications were there. All my documents where there. iTunes was there. iPhoto was there. The positioning of the icons and documents on my desktop was exactly like my old MBP. Wow. A migrate function that actually worked.  Really. All the way.  Ok, well I did have to re-setup my home wireless connection .. for some reason that didn’t seem to come across, but with the totally customized settings I use, I’m not too surprised although it only added about 120 seconds onto my migrate time.

So at the time I’m writing this, Apple has announced the next generation of the MacBook Pro (the Intel i5 and i7 processors).  Since I’ve only had my shiny new uni-body MBP for a week, I call the folks at Apple and speak to a very pleasant customer service rep (send me an email or website message and I’ll forward his name), who not only cheerfully agrees to accept my new MBP back, but helps me order the new generation. They waived the return shipping and any refurbishment fees, as well as the express shipping for the new unit to me.  Gives me his direct line so if the Apple provided UPS return sticker expires before I get the old-new MBP migrated to the new-new MBP, I can call and get a new label. All this (and I ordered a new mouse) and they refunded a net of nearly $900 back to my credit card.

Well, I’ve just finished the migrate from the old-new MBP to my new-new MBP and again, it was seamless. I don’t think I’ll rebuild a new Mac from scratch any more – this is just too fine for words.  So I can get back to my Master’s thesis and life in general, and not worry about the software out there that is half baked or just barely good enough to get by .. with lots of manual care and feeding.

Thanks Steve and crew – this is why I’m an Apple shareholder.

Initially I followed the guidance at sanity, inc.”How to OS X Leopard Screen Sharing with Linux“, on Ubuntu I installed tightvnc:

apt-get install tightvncserver

Then tested it out by starting up the vnc server on the Ubuntu system as the user I want to run the remote session as:

tightvncserver -geometry 1024x700 -depth 24 :1

As tightvncserver starts up the VNC service, it will check for a .vncpasswd file in the user home directory. If it doesn’t exist, you will be prompted for a password to use to protect the remote session.  Note VNC is not designed to be used for multi-user remote access.
On the Mac, rather than use Bonjour to automatically discover the Ubuntu screen sharing service, I just referred to the VNC session directly within Finder which invokes the built in VNC viewer. Enter the VNC session password when prompted and the Ubuntu desktop is displayed. Within Finder, either use Go -> Connect to Server or Apple-K to bring up the Connect to Server window.  The server address is the URL that points to the Ubuntu VNC instance vnc://10.10.1.2:5901 where the port is 5900 + the display number specified when starting up the tightvncserver (5901).

This all worked fantastic, except for the keyboard mapping within Gnome – it was scrambled.  After googling several possible solutions, the only one that was successful for me was to disable the keyboard plugin in Gnome

Amit Gurdasani wrote on 2008-04-28: #51

I’ve also encountered this issue with TightVNC and the hardy release. My solution was to capture the xmodmap -pke output as ${HOME}/.Xmodmap at the login screen (DISPLAY=:0 XAUTHORITY=/var/lib/gdm/:0.Xauth sudo xmodmap -pke > ${HOME}/.Xmodmap). When gnome-settings-daemon starts up and finds an .Xmodmap, it asks if it should be loaded — I answer yes. As a side effect, if gnome-settings-daemon were to be restarted without the .Xmodmap, it’d scramble the keyboard layout again. With an .Xmodmap in place, it’ll load the .Xmodmap every time.

Due to another issue (#199245, gnome-settings-daemon crashing with BadWindow every time a window is mapped), I disabled the keyboard plugin using gconf-editor, at /apps/gnome_settings_daemon/plugins/keyboard. Since it’s not being loaded, I suspect it might not garble the layout even if I remove the .Xmodmap now.

So maybe disabling the keyboard plugin is a better fix.

On the Ubuntu system, invoke the Gnome configuration editor (gconf-editor on command line), then navigate to apps -> gnome_settings_daemon -> plugins -> keyboard uncheck the Active keyword.  Kill the VNC daemon and relaunch it – problem fixed.

pkill vnc
tightvncserver -geometry 1024x700 -depth 24 :1

Various methods exist to automatically start and kill the VNC server, but for now this will do it for me.

Basically what you should be doing is:

1. Ensure that a hardware firewall/router is in between the internet and the PC (I’ll just call it a firewall from now on)
   • Use a recognized brand name like Linksys, avoid the no-name generics as they often have bad defaults and don’t implement the stateful-packet-inspection that you want to filter out most of the cruft on the Internet from reaching your PC
2. Ensure all default passwords on the firewall and PC have been changed
   • When you initially turn on the power to your PC and to your firewall, do NOT have them connected to your cable or DSL modem initially.  Do the setup of your firewall and PC first in order to ensure malware doesn’t have a chance to get at your shiny new PC before you’ve turned on the needed protection
   • Point a browser to your firewall (likely 192.168.0.1 or 192.168.1.1) and change the default administrator password.  This is very important, as some malware will seek out your firewall and try to use the manufacturer default password to change things like your DNS server settings – inserting the bad guys in between you and the rest of the Internet (eg. forcing your traffic to them first before it goes to your bank)
3. All normal accounts used for day-to-day business on the computer should NOT have administrator privilege (see my post on running without admin privileges)
   • On Windows XP, Vista (and I think 7), the default “user” that accesses the PC has full administrative privilege, that enables software  installation and configuration changes.  This is very dangerous, as malware that you come in contact with from infected emails or websites use this privilege to install their spyware, keyloggers, backdoors and other nasty stuff on your PC – without your explicit permission
   • Set a password for your Administrator account
   • Create a new user right away, before you setup your email, music, photos, documents, etc; ensure that new user is NOT a Computer Administrator
   • Always login with this non-Administrator username for your day-to-day use; only use the Computer Administrator username for software installation and configuration changes.
4. Never surf the Internet with an account that has administrative privilege
5. If this is a common PC for a business, ensure employees accounts are individually assigned (if practical). Ensure those employee accounts are not administrators (unless there is a need and a high degree of trust)
6. Run a good commercial anti-virus program with annual software support (or a subscription)
   • There are some good free AV packages (AVG, Clamwin, Avast) .. Google them for the links
   • Sophos makes a good Mac AV package .. yes, Macs are vulnerable to malware as well; it’s just not as prevalent
7. Finally ensure regular (daily) backups are being run to protect your business, financial, customer information from loss if there is a problem with the PC
8. For setup of your wireless access point (if you have one .. sometimes it’s built into the router/firewall)
   • Chose wireless encryption of at least WPA or WPA2 .. never use WEP or no encryption
   • There is no significant increase in security by obscuring your network name (SSID)
   • Don’t use any personally identifiable information in your network name

If you are unsure of how to do any of these steps, get one of your computer knowledgeable friends to help you.  Of course if you are purchasing a new system right now, I’d strongly recommend you check out Apple’s Mac products.  They’re not immune to malware, but the architecture and core are by design much less vulnerable to the types of malware that plague Windows.

I came across a tool that one of my clients uses called FreeMind – it’s a Java app that allows you to enter a number of text elements and reorganize them in a hierarchical fashion.

FreeMind example

Ok, one can do that with an unstructured word processor document or a spreadsheet, but FreeMind allows you to dump all these random ideas onto the page then drag and drop into categories or tags that make sense as you’re rearranging the elements.

So after about an hour of dropping in ideas around areas of improvement for the IT security of one of my clients, I had over 250 elements organized into 8 high level categories and about 18 subcategories. It was grouped well enough to lead discussions on what the current priorities for their programmes should be. If I had attempted this in a spreadsheet (and I had) it would have taken hours and untold frustration – not to mention I probably would have missed relationships that I could see in FreeMind.

If I had attempted this in a spreadsheet (and I had) it would have taken hours and untold frustration

FreeMind icons

You can add icons to each element to make labeling and categorization easier. Best to check out the FreeMind home page as it is a feature rich tool. From the project Wiki, typical uses include:

• Keeping track of projects, including subtasks, state of subtasks and time recording
• Project workplace, including links to necessary files, executables, source of information and of course information
• Workplace for internet research using Google and other sources
• Keeping a collection of small or middle sized notes with links on some area which expands as needed. Such a collection of notes is sometimes called knowledge base.
• Essay writing and brainstorming, using colors to show which essays are open, completed, not yet started etc, using size of nodes to indicate size of essays. I don’t have one map for one essay, I have one map for all essays. I move parts of some essays to other when it seems appropriate.
• Keeping a small database of something with structure that is either very dynamic or not known in advance. The main disadvantage of such approach when compared to traditional database applications are poor query possibilities, but I use it that way anyway – contacts, recipes, medical records etc. You learn about the structure from the additional data items you enter. For example, different medical records use different structure and you do not have to analyze all the possible structures before you enter the first medical record.
• Commented internet favorites or bookmarks, with colors and fonts having the meaning you want

What a great tool .. I’m sure I’ll find more uses for it!