Recommendations for Securing a Web Server

Basic Considerations

A web server is a server that is constantly connected to the Internet. It is therefore advisable to follow the recommendations to secure servers connected to the Internet.

Security Measures

• Web servers have the specific function of serving web applications on the Internet. The security level for these applications is often little known or not known at all. It is important to prevent, or limit the scope of damage if they are compromised:
• ensure your applications have the maximum possible security by carrying out penetration tests beforehand;
• install an application firewall such as Microsoft Forefront, Modsecurity or Naxsi for IIS, Apache and Nginx respectively;
• limit the web server application rights – if possible hold it in a restricted execution area;
• remember to apply your developers’ best practice.
• Some web applications enable downloads of any kind of file onto the server. It is important to test files downloaded in this way using anti-virus software.
• If you are using databases on the server itself, consider restricting access to local users.
• Think about installing modules protecting against denial of service.
• Check your log files regularly for anomalies.