Using Mod_Security to Protect Your Server

PHP has grown from a set of tools that get web sites up and working fast to one of the most popular languages for web site development. The following are some recommendations for hardening web servers that use or support PHP.

Hardening guidelines

1. Apply all the Apache security hardening guidelines.
   
2. Disable allow_url_fopen in php.ini.
   
3. Using disable_functions , disable everything you are not using.
   
4. Disable enable_dl in php.ini. 
   
5. Set error_reporting to E_STRICT .
   
6. Disable file_uploads from php.ini.
   
7. Enable log_errors and ensure the log files have restricted permissions.
   
8. Do not use or rely on magic_quotes_gpc for data escaping or encoding.
   
9. Set a memory_limit that PHP will consume. 8M is a good default.
   
10. Set a location for open_basedir .

Microsoft Internet Information Server (IIS)

Microsoft Internet Information Services (IIS) is an HTTP server that provides web application infrastructure for most versions of Windows.

In versions of IIS prior to 6.0, the server was not “locked down” by default. This open configuration, although flexible, was not very secure. Many unnecessary services were enabled by default. As threats to the server have increased so to has the need to harden the server. In these older versions of IIS, hardening the server is a manual process and often difficult to get right.

Lock down server

With IIS 6.0 administrators have more control over how, when, and what gets installed when installing the IIS server. Unlike previous versions, an out-of-the-box installation will result in an IIS server that accepts requests only for static files until configured to handle web applications plus sever timeouts, and other security policy settings are configured aggressively.

Secure configurations for web servers

Microsoft also provides a Security Configuration Wizard (SCW) that helps administrators through the configuration of the web server’s security policy.

Hardening guidelines

1. Make sure that the system IIS is installed in a secured and hardened Windows environment. Additionally, make sure the server is configured to discourage Internet surfing and email use.

2. Web site resources, HTML files, images, CSS, and so on should be located on a nonsystem file partition.
   
3. The Parent Paths setting should be disabled.
   
4. Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts should all be disabled or removed.
   
5. The MSADC virtual directory should be secured or removed.
   
6. Include directories should not have Read Web permission.
   
7. No directories should allow anonymous access.
   
8. Only allow Script access when SSL is enabled.
   
9. Only allow Write access to a folder when SSL is enabled.
   
10. Disable FrontPage extensions (FPSE).
    
11. Disable WebDav.
    
12. Map all extensions not used by the IIS applications to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, .idc, .htr, .printer, and so on).
    
13. Disable all unnecessary ISAPI filters.
    
14. Access to IIS metabase (%systemroot%\system32\inetsrv\metabase.bin) should be restricted via NTFS file permissions.
    
15. IIS banner information should be restricted. (IP address in content location should be disabled.)
    
16. Make sure certificates are valid, up to date, and have not been revoked.
    
17. Use certificates appropriately. (For example, do not use web certificates for email.)
    
18. Protect resources with HttpForbiddenHandler.
    
19. Remove unused HttpModules.
    
20. Disable tracing (Machine.conf).
    
21. Disable Debug Compilation (Machine.conf).
    
22. Enable Code Access security.
    
23. Remove All Permissions from the local Intranet Zone.
    
24. Remove All Permissions from the Internet Zone.
    
25. Run the IISLockdown tool from Microsoft.
    
26. Filter HTTP requests using URLScan.
    
27. Secure or disable remote administration of the server.
    
28. Set a low session timeout (15 minutes).
    
29. Set account lockouts.

 Security concerns

1. Do not install the IIS server on a domain controller.
   
2. Do not connect an IIS server to the Internet until it is fully hardened.
   
3. Do not allow anyone to log on to the machine locally except for the administrator.