security

Web Server Pieces

November 7, 2010
  1. Server OS + Hardware •Web Server
  2. Database Server
  3. Web application framework or language
  4. Scripting language or Application
  5. Client & Browser Security •Authentication and Session Management

Web Server

•Apache and IIS 6 / 7 are not secure OTB

•Configurations can become complex over time

–Look for unused modules or paths

–Look for world readable scripts or code

–Use Hardening Guides CIS and MS

–Keep your config well-organized and easy to read •Create default error messages

–Stop applications and SQL from revealing how they work •Monitor Logs –Everyday

–Most web applications typically log to web server log file

•Remove sample and test applications •Patch, (win / Unix)

Database Security •Isolate Database Server

–Database should be separate from web server

–Use a firewall to severely restrict access •Encrypt database connections •Harden the Database Server –CIS SQL Hardening Guide

–Configure Users and permissions carefully

–Use separate SQL accounts for Users and Admins

–Make sure to set administrative password

•Use parameterized SQL or Server Side SQL

www.bestitdocuments.com