The number of high-profile hacking attacks in the recent past has shown that web security is the single most important issues that every enterprise has to deal with.
Servers are the most targeted face of any organization, purely because of the amount of sensitive data hosted on them and securing them is as important, if not more so than securing the web application, website and network that surrounds it.
If the application is secure but the server isn’t, or vice versa, the enterprise is still at a huge security risk. As with anything, the security can only be as strong as the weakest point.
Securing a web server is not an easy job and it is a specialist job but it isn’t an impossible one.
Regardless of the server software and the operating system being run by the enterprise, any out-of-the-box configuration is not going to be secure.
Steps have to be taken to increase security and these are the steps that need to be taken by every enterprise:
Get rid of all unnecessary services
The more services that run on an operating system, the more ports there are left open and that means more open doors for hackers to get through.
All services that are not needed should be disabled or switched off so that when the server is rebooted they do not start automatically. Doing this will also boost server performance because hardware resources are freed up
Secure remote access
It may not always be the most practical thing but, where possible, administrators should try to log in to their web servers locally.
If they do need to log in remotely, extra security is required to protect the connection, including encryptions and tunneling protocols.
Good practice includes the use of security tokens and single sign-on equipment. There should also be remote access restrictions to a certain number of IP addresses and only to certain accounts. Public computers and public networks should not be used to access enterprise servers remotely
Keep Development, Testing and Production Environments Separate
It is a good deal faster and much easier for developers to come up with new versions of their applications directly on the server.
And, because of that, it isn’t uncommon for the development and the testing of these applications to be done on the same server.
These test sites often make their way onto the internet before they are ready for public viewing and tend to be somewhat buggy, full of holes that can easily be exploited by a malicious hacker.
In an ideal world, all of this would be done on servers that are kept separate from the internet would never be allowed to connect to the data and databases in the enterprise until they are fully ready and have been tested.
Server-Side and Application Content Scripting
All web files and scripts should be stored on a separate drive or, at the very least, a separate partition to the operating system, system files, and logs.
If a hacker can get access to the root directory, they can exploit any other vulnerability and go a step further in being able to access the date on the entire disc.
From there, the world really is their oyster, or at least your web server is.
Privileges and Permissions
Instead of giving everybody access to everything, the least amount of privileges should be designated to the least number of people needed to carry out specific tasks.
You should also assign the absolute minimum privileges needed by anonymous users to access web applications files, the website itself and any backend databases and data
Be up to date with all security patches
Operating systems are updated almost constantly but it’s no good if you don’t install the updates and patches as soon as they are released.
Monitor the server and audit it
Every log that is on a server should be segregated and every single service log, database server logs, operating system logs, and website access logs should be monitored and audited on a very regular basis.
You should be looking for odd log files because these will tell you all the information you need about an attempted or a successful attack.
Disable unused user accounts
Any default user accounts that are not being used must be disabled. These are usually created when the operating system is installed and when many pieces of software are installed.
Each user account must have its permissions changed accordingly the default administrator account should not be used – it should also be renamed.
Each admin that accesses the web server should do so through their own account with the right privileges and account details should not be shared.