Implementing Best Practices

Send logs of administrative and web accesses to a central collection point securely.

Alert on the following conditions

1. Successful login after three (3) or more failures.

2. Input validation, invalid parameter names, and values.

3. Output validation failures (database recordset mismatch, invalid data encoding).

4. Authentication successes and failures.

5. Session management failures (cookie session identification, value modification).

6. Application errors and system events (file system errors, configuration changes, runtime errors).

Log all network traffic, both accepted and dropped.

1. Alert on unsolicited outbound network sessions from VPN appliances.

2. Alert on connections from and to a new geography.

3. Build views to measure the risk of blocking unsolicited outbound traffic.

Prohibit administrative access from public networks.

Only allow public access to ports configured for web services.

Leverage .htaccess (or other filtering mechanisms) to default-deny visibility to paths/directories/applications.

Block server-initiated sessions except those necessary for support services (i.e., authentication, authorization, DNS, log storage).

Run web services using accounts with the least necessary privilege.

Prevent access to the server administratively privileged accounts.

Restrict administrative access to the minimum set of users.

Ensure that directories are not externally navigable/enumerable.

Place web servers in a DMZ.

Subscribe to vendor-specific software updates from your vendor. Enable automatic updates (if possible).

If a patch repairs a vulnerability:

1. Apply patches to internet-facing servers within three (3) days of release.

2. Apply patches to internal web servers within seven (7) days of release.

Secure backups with annual testing.

Disable unused services on the web server.

Uninstall unnecessary applications.

Minimize enumerability by removing banners, headers and other identifiable information.

Deploy EDR for greater visibility into server operations.

Improved alerting on:

1. Logging dropouts.

2. Software crashes and restarts.

3. Failed logins.

4. File uploads, including specific file types.

5. Monitoring for site changes.

6. Administrative access outside permitted maintenance windows.

7. Executions with administrative privilege.

8. Actions performed by service accounts.

9. Multiple simultaneous logins from various geographies.

10. Initial execution of software.

11. Attempts to initiate network sessions to systems not used for support services.

Restrict external access from unapproved cloud and geographic sources.

Restrict access to internal networks without authorized users, content managers, or administrators.

Deploy web application firewall capabilities to extend access control capabilities.

Block administrative access except for Bastion hosts.

Restrict access to internal network resources by user role.

Separate operating system administration from web service administration.

Place web servers into a dedicated network segment with security filtering available for all directions of traffic and connected networks.

Deploy a dedicated segment for administrative traffic.

Harden configuration using benchmarks from governments, third parties, or vendors.

Implement application control to prevent the execution of unapproved applications.

Implement behavior analysis.

1. “Superman” rules alerting impossible geographic access sources based on time and distance.

2. Geography, session duration, and transfer sizes are tracked per device and user with anomaly alerting.

3. Track patterns of administrator access and actions taken with anomaly alerts.

4. Baseline internal network traffic and alert on odd access patterns based on IP address and network segments.

Implement Default Deny for application control.

Delegate authority to users to perform a minimal set of privileged administration tasks rather than use privileged accounts.

Separate web servers based on the application or site they support. Microsegmentation at a server level is useful but not required.

Harden configuration following a CIS Benchmark (https://www.cisecurity.org/cis-benchmarks/) or vendor’s advice as much as possible.