Hardening the Application Environment

Many web application servers are attacked every day. The best defense against such attacks is to ensure that server hardening is a well-established practice within your organization. All devices and software that are involved in deploying and supporting a web application, such as servers, firewalls, databases and others, must be securely configured. Some common server hardening tips & tricks include:

• Avoid using insecure protocols that send your information or passwords in plain text.
• Minimize unnecessary software on your servers.
• Keep your operating system up to date, especially security patches.
• Do not use default accounts and passwords.
• User Accounts should have very strong passwords.
• Change passwords on a regular basis and do not reuse them.
• Lock accounts after too many login failures. Often these login failures are illegitimate attempts to gain access to your system.
• Do not permit empty passwords.
• Unnecessary services should be disabled, especially remote-access unless carefully configured to control client access.
• Minimize open network ports to be only what is needed for your specific circumstances.
• Configure the system firewall. Proper setup of a firewall itself can prevent many attacks.
• Maintain server logs; mirror logs to a separate log server
• Limit user accounts to accessing only what they need. Increased access should only be on an as-needed basis.
• Maintain proper backups.
• Don't forget about physical server security.

Please refer to information about securing your specific web server and OS, which can generally be found online.