Controls of Server Vulnerabilities

  1. Change or disable default users
    and default settings, and
    configure the server appropriately.
  2. Regularly patch the Web Server.
  3. Delete unnecessary and unwanted
    sample scripts.
  4. Patch up security loopholes on the
    underlying Operating System.
  5. Set up file and directory permissions
    only as absolutely required.
  6. Do not perform server changes
    without impact analysis.

  1. Ensure strong passwords for
    user and administrator accounts.
  2. Ensure that only the needed
    ports are open and only the
    need-based services are active.
  3. Encrypt the traffic as necessary.
  4. Ensure data files are kept out
    of the Web Server.
  5. Monitor the Logs regularly.
  6. Delete unnecessary file shares.
  7. Disable Tracing and Debugging.
  8. Check for the validity of Certificates.

  1. As much as possible, use a
    dedicated machine for the server.
    Other servers like database
    services should be installed
    on separate physical servers.
  2. Disallow local logins on the
    Web Server machine.
  3. Validate server-side session IDs.
  4. Scan the server periodically
    to identify and fix vulnerabilities.
  5. Perform boundary checking
    and validations on the inputs.