Server Vulnerabilities + Controls
Web Servers are backend computer programs running on a physical server and hosting websites or serving clients with requested web pages. Examples of commonly used servers are Internet Information Services (IIS) Windows Server from the Microsoft Corporation, Apache Web Server, Nginx Web Server, and Tomcat Web Server. Typical vulnerabilities of servers are:
- Unchanged Default Permissions: Usually, servers like IIS define default users with default, weak, or no passwords at all, and with default permissions.
- Sample scripts are not removed: Servers may come with outdated sample scripts, which hackers may misuse.
- Default Configuration is Not Changed: Unnecessary and unwanted configurations may create loopholes in the server and let attackers exploit them.
- File and Directory Permissions are not Set Properly: Inappropriate permissions will enable hackers to access directories on the Web Server that shouldn't, in principle, be accessible.
- Security Loop-Holes or Defects in the Web Server: Servers become outdated from a security point of view when vulnerabilities in them are discovered and published. Not patching the server can lead to security attacks.