How to Defend Against Web Server Attacks


- Ports – audit the ports on server regularly, limit inbound traffic to port 80 and 443 and encrypt or restrict intranet traffic

- Server Certificates – ensure that certificate data ranges are valid and are used for their intended purpose and if certificate´s public key is valid to a trusted root authority

- Machine-conf – ensure that protected resources are mapped and unused are removed. Ensure that tracing is disable and debug compiles are turned off

- Code Access Security – implement secure coding practices, restrict code access security policy settings to ensure that code downloaded have no permissions to execute and configure IIS to prevent path traversal, lock down system commands and utilities with ACLs and install new patches and updates

- Registry – apply restricted ACL and block remote registry administration. Secure the SAM (Stand-Alone Server only)

- Shares – remove all unnecessary file shares including the default administration shares. Secure the shares with restricted NTFS permissions

- IIS Metabase – ensure that security related settings are configuring appropriately and access to the metabase file is restricted with hardened NTFS permissions. Restrict banner information

- Auditing and Logging – enable a minimum level of auditing and use NTFS permissions to protect the log files.

- Script Mappings – remove all unnecessary script mappings to avoid bugs in the ISAPI extensions

- Sites and Virtual Directories – relocate sites and virtual directories to non-system partitions and use permissions to restrict access

- ISAPI Filters – remove unnecessary ISAPI filters

- URP Mappings – create URL mappings to internal servers cautiously

- Dedicated Machine – as a web server

- Screen and filter – the incoming traffic request

- Domain Controller – do not install the web server on a domain controller

- Hardening – do not connect the web server to the Internet until it is fully hardened

- Session ID Tracking – use server side session ID tracking and match connection with time stamps, IP,etc

- Locally log – do not allow anyone to locally log on the machine except for the administrator

- SQL Server – install it on a separate server

- Security tools and scanners – automate and make easy the process of securing a web server

- Anonymous user – configure a separate anonymous user account for each appl, if host multiple web appls.

- Functionality – limit the server functionality in order to support the technologies that are going to be used.