Through the years I've learned a few strategies for securing web server configurations (often what I learn comes through mistakes). By no means complete or comprehensive, here's my quick list of essential practices.
- Ensure that databases and sensitive assets are stored outside of the web root
Any file, including your database, which sits inside the web root can be downloaded by a user if they figure out the correct URL. Keep your database outside of the web root, and keep sensitive files outside as well. Most application servers provide methods for sensitive files outside of the web root to be served to authenticated users when appropriate. - Ensure that directory browsing is turned off and that default index pages are specified
If directory browsing is turned on and the web server doesn’t recognize any of the files in a given directory as a default index page, the server will show a list of all of the files to any user. The server may even let the user navigate between directories. - Ensure that all of the latest patches have been applied to all software
Make sure to constantly check for and apply patches and upgrades for the operating system, web server, database, and application server software. Some programs can do this automatically, such as Windows Update or the Red Hat Network for Linux; if that isn't available, set up a schedule with reminders as a part of your business processes.
Comments (1)
June 1, 2007
20:00PM | #
I'd also recommend that all unnecessary services or daemons (ftp, SNMP, etc..) be disabled or uninstalled if they're not being used.