Risks associated with web servers Responses

Provide (2) 150 words substantive response with a minimum of 1 APA references for RESPONSES 1 AND 2 below. Response provided should further discuss the subject or provide more insight. To further understand the response, below is the discussion post that’s discusses the responses. 100% original work and not plagiarized. Must meet deadline.

RESPONSE 1:

The Apache web server is an open source web server that was created in 1995. With very little configuration Apache is able to handle large amounts of traffic and because of open source there are developers continuously working on updates and better functionality. Apache can also be used on multi-platforms. Apache is able to accept and route traffic to certain ports. By default it will run on port 80, but with specific address-port combinations it is able to route ports. Ways to make Apache more secure are through some of the following ways. Disabling the trace HTTP request. By default this is enabled and allow cross-site tracing that could potentially expose your cookie information. Disabling the directory listing will prevent access to the files and sub-directories within the browser. Tools that can be used to secure your Apache server are mod security that is an open source web application first this will provide you with several features designed to protect the server.  

The Microsoft Internet Information Server (IIS) has been in service since Windows Server 2003 and only operates on the Windows operating system. Like Apache you are able to route traffic to other ports. IIS benefits from being popular due to its platform that supports all the Microsoft applications. Some of the features of IIS are Remote management that allows the management of the program via command line interface or union PowerShell. IIS also comes with security features that allows users to manage TLS certificates and allows the user to filter requests that will allow for the traffic of whitelists and blacklists. These are tools that will assist in securing IIS. Disable the OPTIONS Method. The OPTIONS method gives a list of the methods supported by a web server and disabling this ensures that potential attackers wont be able to access the information. Enable Dynamic IP address restrictions will block access to IP address that go over a certain amount of requests. This can prevent denial of service attacks. 

Reference 

(February 20, 2020). Ultimate guide IIS server: What is IIS? IIS tutorial. DNS stuff. Retrieved from

Acunetix (November 5, 2014). Microsoft IIS – 8 Tips for security best practices. Acunetix. Retrieved from

Hernandez, J. (May 8, 2019). What is Apache? In-depth overview of Apache Web Server. Sumo Logic. Retrieved from

Kumar, C. (June 6, 2019). Apache web server hardening and security guide. Geekflare. Retrieved from

– VINCENT

RESPONSE 2:

Security on an Apache webserver is only as good based on its configurations.  Along with proper security configuration, its important to keep Apache updated with the latest security patches as they become available.  The following are some configuration changes in securing an Apache server:

Securing an Apache webserver should be configured to use only what is required for functionality. Configure on the module required to run functionality and restrict other unnecessary services.  

Run as an unprivileged user:  this refers to locking down the Apache server with minimal permission than necessary.  This would require to set the server as an unprivileged systems user versus root or admin user.

Disabling server-info directive, server signature and server-status Directive to prevent the exposure of server information, such as version, paths, data directories, server performance, HTTP requests and client IPs. 

Setting the ServerToken directive to Prod will direct Apache to a specified name, like Apache in the server response header. This prevent the server from sending server information out when responding to a request.

OpenSSL is one tool I ran into when researching Apache security.  Because Apache does not come with encryption, running OpenSSL with it can provide traffic encryption and public/private key pairs to force all traffic over SSL protocol.

A Microsoft IIS server has similar security configuration recommendations as the Apache.  These include:

Installing and properly configuring only the necessary modules required for functionality and implementing the least privileged rule. As well as enabling Window authentication with extended protection to protect against credential relaying and phishing attacks.

Maintaining an up-to-date anti-virus and security patches.  Also enabling SSL and SSL certificates.     

Web application isolation includes isolating web application pools, ASP.Net temp folders and content and ensure access controls list are configured to allow access as per set permissions.

Claudia 

Acunetix. (2021, March 12). 10 tips for apache security. Retrieved August 03, 2021, from https://www.acunetix.com/blog/articles/10-tips-secure-apache-installation/

The most important steps to take to make an Apache server more secure. (n.d.). Retrieved August 03, 2021, from https://help.dreamhost.com/hc/en-us/articles/226327268-The-most-important-steps-to-take-to-make-an-Apache-server-more-secure

Archiveddocs. (n.d.). Security best practices for iis 8. Retrieved August 03, 2021, from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj635855(v=ws.11)

– CLAUDIA