Basic security principles

The article "Ensuring website safety" is provided by Sophos Plc and SophosLabs.

December 2007

The first stage of designing, creating or using a secure site is to ensure maximum security of the hosting server.

A web server is formed by several layers of software, and each of them is subject to different kinds of attacks, as shown on the diagram below. Remember: any block can be targeted in an attack.

The basis of each server is the operating system. Securing it is rather easy. You just have to install updates when they are released. This doesn't take a lot of effort. Microsoft [1] and many Linux flavors allow companies to install bug fixes automatically and launch them with one click.

Note that hackers are bound to automate their attacks. For this, they use malware that checks out the servers and searches for one that doesn't have updates installed. It is important to install updates promptly and correctly. Any server without recent updates can be a target for an attack.

In addition, you should update all software that is running on the web server. Turn off or remove any software that is not necessary (for example, a DNS server or remote administration tools like VNC or remote desktop services). If remote administration tools are still needed, ensure that they don't use default passwords or passwords that are easy to guess [2]. This applies not only to the remote administration tools, but also to the user accounts, switches and routers.

The next important point is the antivirus software. Its use is a mandatory requirement for any web server, regardless of the platform it uses. Combined with a flexible firewall, antivirus software is becoming one of the most effective ways to protect against security threats. When the web server is attacked, the hacker tries to load the hacking tools and malware as soon as possible to use the vulnerability in the security system before it is fixed. If the server doesn't have a quality antivirus package, the vulnerability in the security system can stay unnoticed for a long time.

A multilayer approach is best in terms of protection: the network firewall and operating system at the front, with antivirus behind them ready to close any security gaps.

To sum up:

  • Don't install unnecessary components. Each component is a threat. The more of them, the higher the overall risk.

  • Install security updates for the operating system and applications timely.

  • Use antivirus, turn on autoupdates and check regularly if they are installed correctly.

Some of these tasks may seem difficult, but remember that a single gap in security is enough to result in an attack. Potential risks include theft of data and traffic, putting the server IP address on blacklists, damage to the organization's reputation and site instability.

The next important software component is the HTTP server itself. The most popular alternatives are IIS and Apache.