Recommendations to secure a Web server
Basic Considerations
A web server is a server permanently connected to the Internet. It is, therefore, advisable to follow the recommendations for securing servers connected to the Internet.
Security Measures
- Web servers have the distinction of serving web applications on the Internet. The level of security of these applications is often little or not known. It is, therefore, important to prevent or even limit the extent of the damage in the event of compromise:
- ensure that your applications have a maximum degree of security by carrying out penetration tests beforehand;
- install an application firewall like Microsoft Forefront, Modsecurity or Naxsi for IIS, Apache, and Nginx respectively;
- limit the rights of the web server application, if possible, contain it in a restricted execution space;
- consider applying good practice rules to your developers.
- Some web applications allow files of any type to be uploaded to the server. It is important to test the downloaded files with an antivirus.
- When using databases on the server itself, consider restricting its access to local users.
- Consider installing modules protecting denials of service.
- Check your log files regularly to find any anomalies.