GWS Server Security
Version 1.0
Victoriakumar Yallamelli & Paul Carmody
Cloud services
The servers will be hosted with a reliable and trusted Cloud service provider such as Azure. As of today, Azure Cloud hosting services provide the best practice hardware, hardware and software firewalls as well as software with excellent server security options that need to be subscribed to. We will opt for financial grade security server hosting, with automated patching, DOS prevention, excellent uptime and support call access.
Other than the security services provided by the Cloud servers service provider we will add additional security options (below). We aim to maintain OWASP 3.0 standard security practices and testing.
Firewall
We have the best firewall security installed on the server(s) called WebKnight. WebKnight is OWASP 3.0 compliant. It is highly configurable and automatically updated with patches as new risks are reported. It provides constant transaction monitoring and SQL injection prevention at IIS level. Here are some of the important features to note:
Logging
By default, all blocked requests are logged. In addition, all allowed requests can be logged as well, or run the firewall in logging only mode. This last operation mode allows to see the attacks in the log files without blocking them. The firewall can also prevent blocked attacks from being logged to the web server log files. This way the web server log files will be kept clean and accurate.
Customizable
The firewall can be customized for any need, including blocking certain 0-day exploits before the vendor released a patch.
Compatible with Web-Based Applications
The firewall is compatible with Frontpage Extensions, WebDAV, Flash, Cold Fusion, Outlook Web Access, Outlook Mobile Access, SharePoint and more
HTTP Error Logging
The firewall can be configured to log the HTTP errors from the web server. This way we can log common errors like ‘404 Not Found’ or more severe ones like ‘500 Server Error’ to the logfile. Doing so allows to detect errors in scripts or attacks on them. Can be also used to simply find broken links in the web site or configuration mistakes.
SSL Protection
Unlike traditional firewalls, the firewall can protect encrypted sessions over HTTPS.
Third-Party Application Protection
The firewall not only protects the web server, but can also be configured to protect third-party web server applications, e-commerce web sites or our custom web site.
RFC compliant
The firewall is RFC compliant and also includes the ability to scan the requests for RFC compliance.
Low Total Cost of Ownership (TCO)
The firewall comes with a Windows Installer package and remote installation scripts making it easy to deploy the firewall in the enterprise. The firewall also comes with a graphical user interface for changing the firewall settings.
Run-Time Update
Changes to the settings of the firewall do not require restarting the web server and can thus be done without disrupting any services for the users. For performance reasons, detecting these changes only occurs every 1 minute.
Authentication scanning
Authentication scanning allows to scan for brute force attacks on accounts or DoS attacks on system accounts. It can also scan for weak passwords.
Connection control/monitoring
The firewall can block or monitor traffic coming from certain IP addresses or ranges as well as monitor access to certain important files or limit the number of requests coming from a single IP address.
Blocking robots
A large robots database makes it possible for blocking or only allowing certain types of robots. It is also possible to set up a bot trap for bad robots and to block aggressive robots.
Prevent hot linking
Hot linking or direct linking to certain types of files (like images or file downloads), can be prevented.
Hardening of Servers
This is the second step of securing the servers after the Cloud server service provider has put up their security measures.
Some of the key activities of hardening the servers (there are several other technical detailed activities done for hardening the servers)
Remove unnecessary services
Default operating systems and configurations lack comprehensive security. Generally speaking, there are many network services included in a default installation that won’t be used, from remote registry services to print server service and other features.
The more services are running on the server operating system, the more ports are left open – meaning more doors into the network that a malicious hacker could exploit. As well as helping with security, removing unnecessary services can also boost the server performance.
Create separate environments for development, testing, and production
Developing and testing are often done on production servers, which is why sometimes come across websites or pages online that feature details like /new/ or /test/ in the URL. Web applications that are in their early development stages will often have security vulnerabilities and can be exploited using freely available online tools.
To minimize the risk of a breach by keeping development and testing to servers isolated from the public internet, and not connecting them to important data and databases.
Set permissions and privileges
Network service permissions, and file permissions, play a crucial role in the network security. If the web server is compromised through network service software, the bad actor can use whichever account the network service is running to carry out tasks. Because of this, the simple act of setting minimum privileges for users to access web app files and back-end databases can be instrumental in preventing loss or manipulation of data.
Keeping patches up to date
Failure to keep software up to date with the latest patches can allow cybercriminals to reverse-engineer pathways into the server network.
Segregate and monitor server logs
As part of regular security testing, logs will be stored in segregation, and monitored and checking them frequently. Unusual log file entries reveal information about attempted and successful attacks and will lead being investigated as and when they arise.
Firewall (Already mentioned above)
Software-based firewalls are easy to set up and manage and will protect the web servers from unauthorized communication and intrusions.
Automatic backups
Making regular server backups ensures that if the security defences are compromised, we can recover and restore data quickly. Automation can improve efficiency, but we will also check for issues that may have interrupted the process.
Two Step Login for Accounts
At the client side two step login will be enabled. Which means the user has to first enter the username, after verifying the usernames existence, then the user can enter the password. This prevents robots to automate and generate, username password combinations to attack the site. As both the inputs are required from the user at their own time, it brings in a high level of security.
After certain defined sets of failed logins, the user will have to authenticate to reset their passwords and regain access to their accounts. Various methods of authentication will be considered for use and can be a single authentication method or multiple authentication methods or mixed methods to be used.
Session Objects are used to maintain user state, login attempts, IP blocking and login controls preventing multiple logins or robot style hacking.
Security steps at Checkout
At the checkout process, various security methods described as the standard best practices for seamless payment are implemented. This along with fraud prevention mechanisms provided by the payment gateway are implemented.