Phone icon +45 45 34 44 00
Book meeting

Documentation

6. Secure Server Environment

Any website, application, or server must integrate basic security measures in accordance with best practices – not only for network communication, but also for authentication and infrastructure.

Securing Communication Networks

  • Implement TLS version 1.2 or 1.3 (which replaces SSL) on all websites and for data transfers in your mobile applications, e.g., using Let’s Encrypt. Use only the latest versions and verify correct implementation.

  • Make the use of TLS mandatory for all pages on your website and for your mobile applications.

  • Limit communication ports to only those necessary for the applications’ functionality. If access to a web server is only possible via the HTTPS protocol, only ports 443 and 80 should be accessible, while all other ports are blocked by the firewall.

  • OWASP has published various cheat sheets for, among other things, correct implementation of TLS and securing web services.

Securing Authentication

  • Follow CNIL’s recommendations on passwords. Remember especially to limit the number of login attempts.

  • Never store passwords in plain text. Hash them with a recognized library, such as bcrypt.

  • If cookies are used for authentication, it is recommended:

    • to force the use of HTTPS via HSTS;
    • to use the secure flag;
    • to use the HttpOnly flag.

  • Test the cryptographic suites on your systems and disable outdated algorithms (RC4, MD4, MD5, etc.). Use AES256 where possible. Read OWASP’s note on the subject.

  • Adopt a specific password policy for administrators. Change passwords when an administrator leaves the organization or on suspicion of breach. Use strong authentication where possible.

  • Limit access to administration tools and interfaces to qualified personnel. Encourage the use of low-privilege accounts for daily tasks.

  • Remote access to administration interfaces must be subject to increased security measures. For internal servers, it may for example be a good solution to implement a VPN with strong authentication of both user and workstation.

Securing Infrastructure

  • Take regular, encrypted backups and test them regularly. This is especially important in case of ransomware attacks, as backups are often the only option to restore systems.

  • Minimize the software stack and for each element:

    • Install critical updates as quickly as possible and schedule automatic weekly checks;
    • Automate vulnerability monitoring by e.g., subscribing to NVD Data Feeds.

  • Use vulnerability scanners for critical processes to identify security breaches. Also consider systems for detecting and preventing attacks on critical systems or servers. These tests should be performed regularly and before new software versions go into production.

  • Limit or prohibit physical and software access to diagnostic and remote configuration ports. Use e.g., the netstat tool to list open ports.

  • Protect databases accessible from the internet by limiting access as much as possible (e.g., via IP filtering) and by changing the default administrator password.

  • Good practices in database administration include:

    • Use of nominative accounts for database access and creation of separate accounts for each application;
    • Removal of administrative rights from user and application accounts to prevent changes to database structure (tables, views, procedures, etc.);
    • Implementation of protection against SQL and script injection attacks;
    • Encryption of both disk and database to secure data at rest.

Need a penetration test?

Contact us for a no-obligation conversation about your security needs.

Contact us