Six steps to secure your web server

  
                  

Maintaining Web Server Security is one of the most unpleasant chores in information security. You need to find balance in conflicting roles, allowing legitimate access to network resources while preventing malicious damage.

You might even consider dual authentication, such as RSA SecurID, to ensure a high level of trust in the authentication system, but this may not be practical or cost effective for all website users. Despite these conflicting goals, there are still six steps that will help secure Web servers.

Separate servers for internal and external applications separately

Suppose an organization has two types of independent web applications, services for external users and services for internal users. Carefully apply these applications. Deployed on different servers. Doing so can reduce malicious users from breaking through external servers to gain access to sensitive internal information. If you don't have a deployment tool available, you should at least consider using technical controls (such as handling isolation) so that internal and external applications don't involve each other.

Testing and Debugging Applications with a Separate Development Server

Testing applications on a separate Web server sounds like common sense - indeed. Unfortunately, many organizations do not follow this basic rule, instead allowing developers to debug code and even develop new software on production servers. This is terrible for both safety and reliability. Testing the code on the production server can cause users to fail, introducing security vulnerabilities when developers submit untested and vulnerable code. Most modern version control systems (such as Microsoft's Visual SourceSafe) facilitate the automation of the coding/testing/debugging process.

Reviewing Website Activity, Secure Storage Logs

Every security professional knows the importance of maintaining server activity logs. Since most web servers are public, it is important to review all Internet services. Auditing helps you detect and combat attacks and allows you to troubleshoot server performance. In an advanced security environment, make sure your logs are stored in a physically secure location—the safest (but least convenient) trick is to print out the logs as they are created, creating paper records that cannot be modified by the intruder, provided the intrusion There is no physical access. You may want to use electronic backups, such as logging into a secure host and encrypting with a digital signature to prevent the log from being stolen and modified.

Training Developers for Reliable Security Encoding

Software developers are committed to creating applications that meet business needs, but often overlooking information security is also an important business need. As a security professional, you are responsible for training developers to influence the security of Web servers. You should let developers understand the security mechanisms in the network, make sure that the software they develop does not violate these mechanisms; and also provide conceptual training, such as memory leak attacks and processing isolation - these are great for coding and generating secure applications. help.

Patching the Operating System and Web Server

This is another common sense, but it is often overlooked when administrators are overwhelmed by other tasks. Security bulletins, such as those issued by CERT or Microsoft, remind people how often software vendors release patches for certain security vulnerabilities. Some tools like Microsoft's Software Upgrade Service (SUS) and RedHat's upgrade service help automate this task. In short, once the vulnerability is announced, if you don't fix it, it will be discovered and used sooner or later.

Scanning with Application Software

If you are burdened, you might consider using an application scanner to verify internal encoding. Tools like Watchfire's AppScan help ensure that there are no vulnerabilities in the production environment. Remember to be safe. A well-designed web server structure should be based on a sound security policy. Implementing these six methods will help you build a solid foundation.

Copyright © Windows knowledge All Rights Reserved