Although it can be difficult and time-consuming to run a secure server, it is far from impossible. By putting in a few hours of research and hard work now, owners can save themselves from data breaches and long nights in the future. Regardless of which OS and server software a company runs, out-of-the-box configurations are typically insecure.
Below are several steps to achieve a more secure web server.
Eliminate Unnecessary Services
As mentioned previously, default configurations are insecure. In the average default installation, many unused services such as RAS, remote registry, and print servers are included. The more services an OS is running, the more ports are open, which allows an easier insertion of malicious code. By disabling unnecessary services, a user can make a server more secure and boost performance at the same time.
Remote Access Controls
Although it is not always practical, administrators should try to log into servers locally. If they need remote access, the user should ensure the security of the connection with encryption protocols and tunneling. Single-use sign-ons are a good secure server practice, and remote access should be limited to specific accounts and IPs. Corporate servers should not be accessed on public PCs or networks, such as those in internet cafes.
Keep Production, Testing and Development Environments Separate
Because it is easier and quicker for a developer to assemble a new version of a web app on production servers, it is common that testing and development are done there. It is common to find newer versions of sites, as well as other restricted content, in /new/, /test/ and other sub-directories. Because these apps are in the development stage, they have many vulnerabilities and handle exceptions poorly. These flaws can easily be exploited with widely available tools. In an ideal situation, testing, and development should be done on an isolated, secure server.
Privileges and Permissions
Network and file permissions play a critical role in running a secure server. If a server engine is breached via network services software, a malicious user can use the account to execute files and carry out other tasks. It is important to assign the lowest privilege level needed to run certain services and to anonymous users.
Audit and Monitor Servers
Server logs should be stored in secured areas. All website access, network services, database secure server and OS logs should be checked frequently. Log files offer information on attempted and successful attacks, but these are ignored most of the time. If a user notices strange activities, they should immediately investigate and escalate the issue.
Eliminate Unused Accounts
Default accounts created during OS installs should be eliminated or disabled. When certain software is installed, user accounts are created, and permissions for these should be changed as required. The admin account should be re-named, and every admin with access to the web server should have his or her own account with the correct privileges.
Web servers have a variety of purposes, but they only fulfill their intended roles when they are kept secure. By following the tips mentioned here, business owners and others can have a secure server while protecting the sensitive data contained within.