Numerous incidents of hacking attacks have demonstrated that among the most crucial issues to any business with an online presence is web server security. Web servers are among the most targeted areas of an organization due to the fact that they host sensitive data.
Keeping a web server secure is as essential as keeping a web application or website and the network surrounding it secure. If either one of these aspects is not well secured, your business is at peril.
Even though keeping a web server secure seems like an overwhelming task that needs the expertise of a specialist, it is not impossible. Conducting painstaking research now can stave off data breaches in the future.
Irrespective of the operating system or web server software you use, an out-of-the-box configuration is typically insecure. It is therefore imperative that you take precautionary measures to ensure your web server is secure. The following are some tasks that are essential to securing a web server.
Eliminating Unnecessary Services
You can’t bank your security on default configurations and system installations. Typical default installations come with numerous network services that will not be used in the configuration of web servers. These network services include the RAS, print server service, remote registry services, etc.
Having many services running on an operating system means that more ports with be left open, which results in more potential avenues for malicious users to exploit. All unnecessary services should be switched off. They should also be disabled to ensure that they don’t automatically start when the system is rebooted.
Additionally, switching off these services gives your server an extra boost in performance by freeing up hardware resources.
Having a separate development, testing or production environment
Developers find it easier and faster to develop an up-to-date version of a web application on the production server. Therefore, developing and testing of web applications are frequently done directly on production servers.
Newer versions of specific websites are usually available on the internet. The same applies to some content that should not be publicly available, e.g. directories such as /new/, /test/, or other subdirectories.
Such web applications typically handle exceptions poorly, lack input validation, and have numerous vulnerabilities, which can be easily discovered and exploited by malicious users.
Developers build specific internal applications that provide privileged web application access that normal anonymous users would not have. Applications of this type do not have restrictions because they are meant to only be accessed by developers. Unfortunately, in cases where a production server is used for development and testing, malicious users may discover such applications and use them to gain access to and compromise the production server.
Web application development and testing should only be performed on servers that are not connected to the internet. They should not have a link to real databases.
Web Application Content and Server-Side Scripting
System files such as logs and operating systems should be on a drive or partition separate from that hosting website files/scripts and web applications.
Experienced database administrators, such as those at remotedba.com, know that when hackers gain access to a web root directory, they can take advantage of other vulnerabilities and further escalate their privileges to gain access to the entire disc’s data, including system files and the operating system.
From that point, the hackers will have the ability to execute whichever operating system command they choose, giving them absolute control over the web server.
Permissions and Privileges
Services permissions for network and file services play an important role in securing a web server. In case a malicious user uses network service software to compromise a web server engine, they can use the account that runs the network service to execute tasks.
It is therefore important to assign the least privileges required for a particular network services to run. Equally, it is important to assign anonymous users minimum privileges required to access the site, web application files, data, and databases.
Install All Web Security Patches on Time
Having software that is fully patched is no guarantee that your server is fully secure. Nonetheless, it is imperative that you keep your operating system and the software running on it up to date using the latest security patches. Far too many incidents of hacking have occurred because malicious users exploited software and servers that were unpatched.
Ensure the Server is Monitored and Audited
Ideally, all the logs present in a web security server should be kept in a separate area. There should be frequent checking and monitoring of operating system logs, website access logs, network services logs, and database server logs (such as Oracle, MySQL, and Microsoft SQL Server). Your company’s DBA should always be on the lookout for abnormal log entries.
Log files tend to be ignored yet they give all the information about attempted and successful hacks. If strange log activity is noticed, it should be immediately addressed and investigated to determine exactly what is happening.
Unused default user accounts created during an operating system installation should be disabled. There are a number of software that, following installation, create user accounts on the operating system. These accounts should be properly checked and changes made to permissions.
In addition to being renamed, built-in administrator accounts should not be used. Same applies to root users on Unix/Linux installations. Administrators who access web servers should have their own accounts and appropriate privileges. As a matter of proper security practice, user accounts should not be shared.
All Unused Application Extensions and Unused Modules Should Be Removed
A default Apache installation will have many enabled pre-defined modules that are not typically used in a web server scenario unless they are specifically required. To prevent targeted cyber attacks against such modules, they should be turned off.
The same goes for Microsoft’s web servers – Internet Information Services (IIS). IIS is by default configured to serve numerous types of applications. The list of application extensions should only contain those that the web application or website will use.
Sujain Thomas is a database IT professional who works closely with DBA professionals and is keen on providing his clients with top-of-the-range DBA services to solve their data problems. To learn more about DBA, visit remotedba.com.