Web Server Maintenance & Support
Running a web server can be a demanding task often requiring someone being on call to assist in case of website or server downtime. Data centres will provide hardware related support for non-configuration related queries, with additional support following that often being charged at very high rates. A well maintained server only requires minimal maintenance to reduce downtime and ensure high levels of availability. A thorough understanding of each component utilised is required to run a successful website and associated services on a dedicated server, avoiding matters that could cause reliability issues.
We provide the following services for clients running their own dedicated server:
Best practice audits
A well configured web server will provide a protected foundation for hosting your web applications. Poorly configured virtual directories are a common mistake which can lead to unauthorised access, a forgotten file share can provide a convenient back door, while an overlooked open port can be an attacker’s front door.
We can provide a detailed audit of your webserver checking the following key areas:
Patches and Updates
Many security threats are caused by vulnerabilities that are widely published and well known. In many cases, when a new vulnerability is discovered, the code to exploit it is often posted on internet forums and blogs within hours of the first successful attack. If the server is not adequately patched and up to date, it is providing opportunities for attackers to use malicious code to exploit vulnerabilities.
Services
Running services are prime vulnerability points for hackers if they know how to exploit their privileges and capabilities – checks are made to see if running services are required and secured. If the software is not secure, but the service is required, we can advise on more secure alternatives.
Protocols
Protocols using clear text are inherently insecure, for example FTP, POP3, SMTP and Telnet. If use of some of these services cannot be avoided, appropriate measures can be taken to provide secure authentication and communication.
Accounts
Accounts grant authenticated access to the server, and these accounts must be audited. Is the account necessary, how much access does it have or require and is it a common account that can be targeted for attack. Accounts can be configured to help prevent elevation of privilege, brute force and dictionary attacks can be slowed down with strong password policies and accounts can be audited to alert for logon failures.
Files, Directories and Shares
Files, directories and shares should be setup with restricted NTFS permissions that only allow access to necessary Windows services and user accounts. Windows auditing can also be setup to detect suspicious or unauthorised activity.
Ports
Services that run on the service listen to specific ports so that they can respond to incoming requests (for example IIS usually listens on port 80 for HTTP traffic and port 443 for HTTPS traffic). Ports can be audited to detect active services running on the server, and any ports open that shouldn’t be is usually a sure sign of unauthorised access and a security compromise.
Registry
Many security related settings are stored in the registry and as a result, the registry must be secured by applying restricted Windows ACL’s and by blocking remote registry administration.
Auditing and Logging
Auditing is one of the most important tools for identifying intruders, attacks in progress and evidence of attacks that may have occurred. A combination of Windows and IIS auditing features can be configured to audit the web server. Event and system logs can also be used to detect and troubleshoot security problems.
Sites and Virtual Directories
Sites and virtual directories are directly exposed to the internet. Even through a secure firewall configuration and defensive ISAPI filters can block requests for restricted configuration files or program executables, an in-depth defensive strategy is recommended. This includes such steps as relocating sites and virtual directories to non-system partitions and using IIS web permissions to further restrict access.
Script Mappings
Removing all unnecessary script mappings for optional file extensions prevents attackers from exploiting and bugs in the ISAPI extensions that handle these types on files. Unused extension mapping are often overlooked and represents a major security vulnerability.
IIS Metabase
The IIS metabase contains IIS configuration settings. Security related settings must be appropriately configured, and access to the metabase file should be restricted with hardened NTFS permissions.
Firewall Configuration
Firewalls are a necessity, but configuring them so that every internet-based program and service will still work is often troublesome. Most data centre providers offer some form of firewall protection to secure the centre and your server, but are you familiar which how much protection it is providing, and does it protect the server from other servers within the data centre?
Keydata Solutions Limited recommend and configure various types hardware and software firewalls to protect web servers. We can audit protection and vulnerabilities within current systems in place and if necessary recommend solutions to ensure your web server remains secured.
Adding and maintaining websites
Wizard driven web site creation utilities for IIS often use default settings that can provide attackers with the potential to exploit and compromise the server through security vulnerabilities.
We can add and maintain websites on your dedicated server ensuring they are appropriately configured to cover the following areas:
- Reduce security vulnerabilities
- Setup a redundant or backup copy schedule to provide cover against server failure and other common scenarios
- Configure Application Pooling for maximum web application performance
- Default document ordering
- Custom error pages setup
- Logging settings
- Timeout settings
- Caching configuration
- Working set preferences
DNS setup and maintenance
Domain Name Service (DNS) is often an area that is overlooked which provides a very important service. DNS translates domain names into IP addresses. It also lists mail servers accepting email for each domain. In providing a worldwide keyword based redirection service, DNS is an essential component of internet use.
Depending on your configuration, DNS might be handled through your domain name registrant, or it could be setup and running on your dedicated server. Either way we can provide experienced knowledge to ensure you have correctly configured DNS records for each domain name, and where possible DNS redundancy to ensure visitors can always resolve your website.
Backup Configuration
Backup is one of the most important factors when running any type of service that users or visitors depend on. Do you have a backup and disaster recovery plan in place, do you know how long it would take if the server failed to get your web services back up and running, do you have the most efficient type of backup solution in place for your requirements, can the backup and restore process be optimised to reduce potential downtime? These are all important factors that need to be considered to ensure you protect your investment using the best and most cost effective solution possible.
Keydata Solutions limited can assess and advise on many different types of backup and redundancy solutions providing reduced downtime or cost effective failover solutions for critical web applications.
Link Checking
Maintaining websites with lots of pages or links can be a tedious task to check on a regular basis. It may be internal links to old pages that no longer exist, or external links to other sites that have been updated with a new page name or extension.
We provide an automated link checking service which can verify website links, images, frames, plug-ins, backgrounds, local image maps, style sheets, scripts and java applets. There is no limit to the size of site our automated system can check, it is very efficient and displays results in an easy to read format allowing broken links to be resolved quickly.