{
	"id": "61ec6f66-e2ac-422b-ae91-c46813958443",
	"created_at": "2026-04-06T03:37:23.552175Z",
	"updated_at": "2026-04-10T13:12:36.018547Z",
	"deleted_at": null,
	"sha1_hash": "4463af86f172ca3913493b040eaef2210f057b46",
	"title": "Keeping Web and Database Servers Secure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45330,
	"plain_text": "Keeping Web and Database Servers Secure\r\nArchived: 2026-04-06 03:10:25 UTC\r\nVarious high-profile hacking attacks have proven that web security remains the most critical issue to any business\r\nthat conducts its operations online. Web servers are one of the most targeted public faces of an organization,\r\nbecause of the sensitive data they usually host. Securing a web server is as important as securing the website or\r\nweb application itself and the network around it. If you have a secure web application and an insecure web server,\r\nor vice versa, it still puts your business at a huge risk. Your company’s security is as strong as its weakest point.\r\nAlthough securing a web server can be a daunting operation and requires specialist expertise, it is not an\r\nimpossible task. Long hours of research and an overdose of coffee and take away food, can save you from long\r\nnights at the office, headaches and data breaches in the future. Irrelevant of what web server software and\r\noperating system you are running, an out of the box configuration is usually insecure. Therefore one must take\r\nsome necessary steps in order to increase web server security. Below is a list of tasks one should follow when\r\nsecuring a web server.\r\n1. Remove Unnecessary Services\r\nDefault operating system installations and configurations, are not secure. In a typical default installation, many\r\nnetwork services which won’t be used in a web server configuration are installed, such as remote registry services,\r\nprint server service, RAS etc. The more services running on an operating system, the more ports will be left open,\r\nthus leaving more open doors for malicious users to abuse. Switch off all unnecessary services and disable them,\r\nso next time the server is rebooted, they are not started automatically. Switching off unnecessary services will also\r\ngive an extra boost to your server performances, by freeing some hardware resources.\r\n2. Remote access\r\nAlthough nowadays it is not practical, when possible, server administrators should login to web servers locally. If\r\nremote access is needed, one must make sure that the remote connection is secured properly, by using tunneling\r\nand encryption protocols. Using security tokens and other single sign on equipment and software, is a very good\r\nsecurity practice. Remote access should also be restricted to a specific number of IP’s and to specific accounts\r\nonly. It is also very important not to use public computers or public networks to access corporate servers remotely,\r\nsuch as in internet café’s or public wireless networks.\r\n3. Separate development / testing / production environment\r\nSince it is easier and faster for a developer to develop a newer version of a web application on a production server,\r\nit is quite common that development and testing of web applications are done directly on the production servers\r\nitself. It is a common occurrence on the internet to find newer versions of a specific website, or some content\r\nwhich should not be available to the public in directories such as /test/, /new/ or other similar sub directories.\r\nBecause such web applications are in their early development stages, they tend to have a number of\r\nhttps://www.acunetix.com/websitesecurity/webserver-security/\r\nPage 1 of 4\n\nvulnerabilities, lack input validation and do not handle exceptions appropriately. Such applications could easily be\r\ndiscovered and exploited by a malicious user, by using free available tools on the internet.\r\nTo ease more the development and testing of web applications, developers tend to develop specific internal\r\napplications that give them privileged access to the web application, databases and other web server resources,\r\nwhich a normal anonymous user would not have. Such applications usually do not have any kind of restriction,\r\nsince they are just test applications accessed that should be accessed from the developers only. Unfortunately, if\r\ndevelopment and testing is done on a production server, such applications can easily be discovered from a\r\nmalicious user, which could help him compromise and gain access on the production server.\r\nIdeally, development and testing of web applications should always be done on servers isolated from the internet,\r\nand should never use or connect to real life data and databases.\r\n4 .Web application content and server-side scripting\r\nThe web application or website files and scripts should always be on a separate partition or drive other than that of\r\nthe operating system, logs and any other system files. Through experience we’ve learnt that hackers who gained\r\naccess to the web root directory, were able to exploit other vulnerabilities, and were able to go a step further and\r\nescalate their privileges to gain access to the data on the whole disc, including the operating system and other\r\nsystem files. From there onwards, the malicious users have access to execute any operating system command,\r\nresulting in complete control of the web server.\r\n5. Permissions and privileges\r\nFile and network services permissions play a vital role in web server security. If a web server engine is\r\ncompromised via network service software, the malicious user can use the account on which the network service\r\nis running to carry out tasks, such as execute specific files. Therefore it is very important to always assign the least\r\nprivileges needed for a specific network service to run, such as web server software. It is also very important to\r\nassign minimum privileges to the anonymous user which is needed to access the website, web application files\r\nand also backend data and databases.\r\n6. Install all security patches on time\r\nAlthough having fully patched software does not necessarily mean your server is fully secure, it is still very\r\nimportant to update your operating system and any other software running on it with the latest security patches.\r\nUp untill this day, hacking incidents still occur because hackers took advantage and exploited un-patched servers\r\nand software.\r\n7. Monitor and audit the server\r\nAll the logs present in a web server, should ideally be stored in a segregated area. All network services logs,\r\nwebsite access logs, database server logs (e.g. Microsoft SQL Server, MySQL, Oracle) and operating system logs\r\nshould be monitored and checked frequently. One should always be on the lookout for strange log entries. Log\r\nfiles tend to give all the information about an attempt of an attack, and even of a successful attack, but most of the\r\nhttps://www.acunetix.com/websitesecurity/webserver-security/\r\nPage 2 of 4\n\ntimes these are ignored. If one notices strange activity from the logs, this should immediately be escalated so the\r\nissue can be investigated to see what is happening.\r\n8. User accounts\r\nUnused default user accounts created during an operating system install should be disabled. There is also a long\r\nlist of software that when installed, user accounts are created on the operating system. Such accounts should also\r\nbe checked properly and permissions need to be changed required. The built in administrator account should be\r\nrenamed and is not to be used, same for the root user on a linux / unix installation. Every administrator accessing\r\nthe web server should have his own user account, with the correct privileges needed. It is also a good security\r\npractice not to share each others’ user accounts.\r\n9. Remove all unused modules and application extensions\r\nA default Apache installation has a number of pre-defined modules enabled, which in a typical web server\r\nscenario are not used, unless they are specifically needed. Turn off such modules to prevent targeted attacks\r\nagainst such modules.\r\nThe same applies for Microsoft’s web server; Internet Information Services. By default, IIS is configured to serve\r\na large number of application types, e.g. ASP, ASP.NET and more. The list of application extensions should only\r\ncontain a list of extensions the website or web application will be using. Every application extension should also\r\nbe restricted to use specific HTTP verbs only, where possible.\r\n10. Use security tools provided with web server software\r\nMicrosoft released a number of tools to help administrators secure IIS web server installations, such as URL scan.\r\nThere is also a module called mod_security for Apache. Although configuring such tools is a tedious process and\r\ncan be time consuming, especially with custom web applications, they do add an extra bit of security and piece of\r\nmind.\r\n11. Stay informed\r\nNowadays, information and tips on the software and operating system being used can be found freely on the\r\ninternet. It is very important to stay informed and learn about new attacks and tools, by reading security related\r\nmagazines and subscribing to newsletters, forums or any other type of community.\r\n12. Use Scanners\r\nScanners are handy tools that help you automate and ease the process of securing a web server and web\r\napplications. Acunetix Web Vulnerability Scanner is also shipped with a port scanner, which when enabled will\r\nport scan the web server hosting the web application being scanned. Similar to a network security scanner,\r\nAcunetix WVS will launch a number of advanced security checks against the open ports and network services\r\nrunning on your web server.\r\nhttps://www.acunetix.com/websitesecurity/webserver-security/\r\nPage 3 of 4\n\nAcunetix Web Vulnerability scanner ensures website and web server security by checking for SQL Injection,\r\nCross site scripting, web server configuration problems and other vulnerabilities. It checks password strength on\r\nauthentication pages and automatically audits shopping carts, forms, dynamic Web 2.0 content and other web\r\napplications. As the scan is completed, the software produces detailed reports that pinpoint where vulnerabilities\r\nexist.\r\nFrequently asked questions\r\nSource: https://www.acunetix.com/websitesecurity/webserver-security/\r\nhttps://www.acunetix.com/websitesecurity/webserver-security/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.acunetix.com/websitesecurity/webserver-security/"
	],
	"report_names": [
		"webserver-security"
	],
	"threat_actors": [],
	"ts_created_at": 1775446643,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4463af86f172ca3913493b040eaef2210f057b46.pdf",
		"text": "https://archive.orkl.eu/4463af86f172ca3913493b040eaef2210f057b46.txt",
		"img": "https://archive.orkl.eu/4463af86f172ca3913493b040eaef2210f057b46.jpg"
	}
}