The rise in hacking attacks on web servers is increasing and it is important that you understand a few basic facts about web servers and vulnerability security to ensure you protect your hard work from attack.
You’ve chosen your hosting provider, you’ve got the great idea for the website and started to build it but, there are things you need to be aware of concerning web server security issues. So take a few minutes to read this article on web server management and vulnerability security.
If you are developing the website yourself then it is essential that you understand the web server security issues associated with website development. The problem starts the moment you install a web server on your hosting provider account. This action opens a tunnel into your network for the whole world to look through and without vulnerability security you are dead in the water.
Although most people who visit your website are content to shop, a few will try to dig a little deeper into things you don’t want the general public to see on your website such as vulnerabilities, this is where vulnerability security comes in.
Of course you also have the main threat and that is the type of person who specifically wants to see the things they shouldn’t and will attempt to force there way in by any means available to them. The affects can range from the inconvenient, for example the discovery that your web site’s home page has been changed.
To the really damaging problem of theft of your customers personal data and your entire database, plus the inclusion of viruses and Trojans to spread to customers pcs the next time they visit your site. To stop this you must include vulnerability security in your system design.
It’s well known in website security forums that badly designed and updated software opens up possible security holes in your system, also that overly complex software also contains bugs that can be exploited. The problem is web servers are usually large and complex programs that can contain security flaws causing web server security issues and that’s why It’s so important to understand web server management.
CGI scripts can be executed via remote request due to the open architecture of web servers. There is a good chance that any of the CGI scripts installed on your web site could contain bugs or flaws and could be a potential security hole and this is not the problem of your hosting provider.
The general goal for all web developers in relation to web server management and vulnerability security concerning network security of their web servers is to keep the bad guys out and control their database and website. The irony is that the whole idea of a website is to provide the world with access to certain parts of your database and network. A badly configured and maintained website and web server can result in large holes in the most carefully designed firewall. Yet over eager controls can make the website hard to use and not customer friendly.
There is a general opinion by most web users that surfing the web from their home is safe but it is not. Web pages contain such things as active content like ActiveX controls and Java applets. These can introduce the possibility of viruses or other malicious code or software into the user’s system when they are browsing without their knowledge.
Active content can also cause major problems if not controlled properly. ActiveX is not the only problem the mere act of browsing the internet leaves a record of your surfing history for an unscrupulous person to reconstruct an accurate picture of your surfing tastes and habits.
Also the users and web developers implementing web server management need to worry about the lack of confidentiality of the transmitted data across the internet. The protocol (TCP/IP) was not designed to ensure security and so is vulnerable to eavesdropping over the network. Most of the data transmitted over TCP/IP is in the clear.
When a sensitive document is transmitted from the website server to the internet browser or a customer sends their private or personal home banking details to a website someone may be eavesdropping on that transmission.
To help you ensure that you are not taking unnecessary risks with your service and customer data remember these simple tips:
Remove unnecessary services like interpreters – If you don’t need services such as FTP (File Transfer Protocol) remove it. FTP is a protocol that comes with your website server and could be used by hackers. Spend some time analyzing your scripting languages and remove any that are not required for the website.
Make sure you enroll in the security list for your server vendor – You don’t necessarily have to join up with them but you must at least monitor their website on a regular basis for any new patches and make sure you apply them straight away. Also make sure you checkout your operating system for updates and patches as well.
Use strong passwords – Try to avoid easy to guess passwords and use alpha-numeric, this means adding numbers, symbols and capitals to make guessing and cracking much harder. But don’t make the password policy so strict that it makes remembering your password to hard. Make sure you always change the default password and remove unused accounts.
Monitor your server logs – All request and activity on your web server is tracked so review the logs regularly for signs of suspicious behavior.
Segregate you Data – Separate any private customer information from publicly available data by storing them on different machines if you can.
Learn how to configure your server properly – It’s important than you understand the basics about configuring servers so try to limit the executable files to your specific directories and make sure that the source coding cannot be downloaded.
Automatic directory indexing is another service you can disable if you don’t need it. Any automated security tools you can run that are supplied or provided by your OS or web server vendor. Some examples of such tools include Microsoft IIS Lockdown Tool. This will help to identify potential weak spots in your settings.
Check programs for security holes. An area that is particularly prone to security breaches is CGI scripts on web servers especially if the scripts do not validate the user supplied data before trying to accessing operating-system services or system files.