Controls of Server Vulnerabilities
- Change or disable default users
and default settings, and
configure the server appropriately.
- Regularly patch the Web Server.
- Delete unnecessary and unwanted
sample scripts.
- Patch up security loopholes on the
underlying Operating System.
- Set up file and directory permissions
only as absolutely required.
- Do not perform server changes
without impact analysis.
- Ensure strong passwords for
user and administrator accounts.
- Ensure that only the needed
ports are open and only the
need-based services are active.
- Encrypt the traffic as necessary.
- Ensure data files are kept out
of the Web Server.
- Monitor the Logs regularly.
- Delete unnecessary file shares.
- Disable Tracing and Debugging.
- Check for the validity of Certificates.
- As much as possible, use a
dedicated machine for the server.
Other servers like database
services should be installed
on separate physical servers.
- Disallow local logins on the
Web Server machine.
- Validate server-side session IDs.
- Scan the server periodically
to identify and fix vulnerabilities.
- Perform boundary checking
and validations on the inputs.