A guide to web hosting security
In this article, I’ll provide an overview of things to look for when evaluating Web hosting security—as well as checklists for guidance. I wanted to find an acronym that describes a strategy anyone can use. I found a great example posted on Wikipedia (http://en.wikipedia.org/wiki/STRIDE_(security)): “STRIDE is a system for classifying computer security threats developed by Microsoft. It provides a mnemonic for security threats in six categories.” STRIDE stands for
- Spoofing of user identity
- Information Disclosure (privacy breach or Data Leak)
- Denial of Service
- Elevation of privilege
You can use the acronym as a measurement no matter whether you're developing an application, purchasing a third-party solution, or using an external service. Simply put, do NOT trust anyone, anything, any part of the data, or the infrastructure until it has been validated.
Know Your Requirements
Define your requirements by putting a project plan together. Knowing your needs when approaching a hosting provider can help clarify if they can meet your security needs. The sooner you engage your provider, the more secure your site can be. Here are two sample scenarios.
Scenario 1: ABC Company has been in business for several years and has a large Internet presence. The server configuration uses 13 servers in a web farm behind a hardware load-balancer. The Web farm has multiple Web sites, some of which perform e-commerce transactions. The databases are hosted on a clustered system providing high availability. Two other application servers perform utility and background functions. One of the utility servers hosts a third-party application that is accessed via remote desktop by multiple users from all over the world. In this scenario, here are the requirements:
- Remote Access via remote desktop securely
- Hardware load-balancer
- SSL (secure socket layer) needed for e-commerce
- PCI compliance
- Dedicated VLANs (virtual local area networks) for servers. You could have a VLAN for Web, application servers, and database
- Dedicated firewall
- VPN solution to allow private access to data
Scenario 2: XYZ Company makes "the example widget." This product has been on the market for a few months. Their market is small and has a growing niche market. XYZ Company sells their product via their website. They are using a shared hosting plan.
- SSL for e-commerce
- PCI Compliance
These examples describe how companies would use Web hosting differently. Although the first example was more complex, each requirement is necessary for their particular business. When you're evaluating your requirements, put together something similar to these examples. It can help clarify issues when engaging your web hosting provider.
When developing an application, using the STRIDE strategy can ensure you have a secure application.
- Validate ALL user defined input before using inside a SQL statement or stored procedures
- Protect against cross-scripting attacks
- Have error checking (exceptions will happen!)
- If possible, Do NOT store usernames or passwords inside configuration files
- Use encryption to protect sensitive data inside configuration files
- Use SSL to protect sensitive data
The checklist above is meant to highlight some best practices in application development. From a web hosting perspective, one of the items mentioned was encryption. ASP.NET provides built-in encryption using RSA and DPAPI methods. Using these methods can help protect sensitive sections such as connectionStrings and custom application settings. Check whether your provider supports encryption. I’ve worked with clients to have encryption keys on a remote server, which the developer would import on their local machine. This was helpful because the client could control encrypted settings without engaging the provider. You'll find an article on this approach at http://www.asp.net/Learn/data-access/tutorial-73-cs.aspx.
SQL injections are a common way web applications are exposed. Microsoft has released a module called URLScan 3.1, which can protect a server/site against SQL injection attacks. Many of the benefits have also been added to the Request Filter module, which is new to Windows Server 2008. You shouldn't use URLScan or Request filter module as a substitute for validating user input and secure coding practices. For more information, go to the IIS.net community site (http://www.iis.net/extensions/UrlScan.)
Using SSL and encryption are necessary when working with sensitive data.
Web Server Configuration
IIS 6.0 was a huge leap forward in security although configuration for developers was limited. IIS 7 has built on top of IIS 6.0 and brings the power of ASP.NET configuration with modular install architecture. It’s a win for both administrators and developers.
- Custom Application Pool Identities
- CASPOL / medium or partial trust configuration
- Turn on Custom Error handling
- Install only necessary modules
Other options to help secure your application include running Application Pools as a user with limited permissions. Windows Server 2008 includes a built-in user called ApplicationPoolIdentity. The user is created when the application pool is created. It’s the most secure option using built-in accounts. The other option is to use a domain or local user account granted necessary permissions. Check with your hosting provider on their strategy. For more information, go to http://technet.microsoft.com/en-us/library/cc731981.aspx.
CASPOL stands for Code Access Security Policy. CASPOL can help lock down ASP.NET applications. Many shared plans require applications run in medium or partial trust. Using medium trust protects the operating system and other resources from being accessed by the application. If you're developing an application that runs in partial trust environment, you’ll need to compile your application with the AllowPartialTrustCallers attribute. If you plan to use a third-party component, verify that the component runs in a partial trust environment. Learn more at
Turn on custom error handling. When an error occurs, data will not accidentally display sensitive information to the visitors, or a search engine indexing your website.
Here is a checklist to use when locking down servers. The checklist provides a strategy and highlights key areas to watch out for.
- Enable Windows firewall
- Have anti-virus software installed
- Rename built-in Administrator account to something custom
- Create a dummy Administrator account and disable it
- Use complex passwords or use password phrases
- Turn off necessary services
- Create a separate partition for Data than operating system
- Remove default NTFS permissions on the Data partition
- Grant minimum permissions on the Data partition
- Define audit policies, event log policies
- Back up files often and verify they are valid
Windows Server provides a built-in tool called Security Configuration Wizard (SCW). You can run the wizard and develop a policy that can be saved and applied to your servers. The policy could be adapted and controlled via group policy. I've used SCW since Windows 2000. It’s a great tool to help define a baseline when securing a Windows server. For more information, here are a couple links, including my blog posting using SCW:
You also should confirm with your hosting provider whether they deploy the latest security patches and service packs. You’ll have to account for interruption of services when updates are applied. Microsoft usually releases patches on a monthly basis. When evaluating a hosting provider, they might perform some or all of these steps. If you co-locate your servers, you could be responsible for your equipment.
An administrator is only as good as his/her last backup. Backing up files often and verifying they are valid is absolutely necessary. If your site is compromised, you can restore to a last known good backup. Verify your provider offers incremental and full backups.
Your provider could use one or more data centers to host Web sites. Here is a checklist outlining items to verify when it comes to network and data center. Does the provider
- handle Distributed Denial of Service (DDoS) attacks
- implement an intrusion detection system (IDS) or intrusion protection system (IPS)
- offer a VPN solution
- have shared VLANs
- have dedicated VLANs
- provide firewalls
DDoS is a common attack method hackers use to bring down popular sites. Recently, there was an attack on popular social network sites using DDoS. Most providers will have monitoring and the ability to contain or thwart DDoS attacks. Ask your provider if they have ever had a client experience a DDoS and if they were successful in containing it.
Using IDS/IPS is another way to detect suspicious activity and potentially stop it before affecting the network. IDS is usually passive and warns the provider. IPS can be used to not only monitor, but also stop activity if decided to be bad. One example would be continuous FTP attempts to log into a Web site. This is common in a shared Web hosting scenario.
Firewalls are the most popular way networks are secured. They provide port-level security before accessing a device. For shared plans, confirm that your server is behind a firewall. For dedicated clients, there is technology to virtualize firewalls. The firewall could be protecting a VLAN in which your servers are configured. Having your own dedicated firewall can help ensure your data is protected and is compliant to industry standards.
Here is a checklist for when you're considering data center providers.
- How does the provider secure its data centers?
- How are the monitors?
- Do they provide redundant power for servers?
- Do they provide redundant power for data center?
- Do they have cages to isolate different clients?
For companies using a shared plan, you most likely won’t have the ability to isolate your Web site on a protected network. When using shared hosting, several Web sites are hosted on server’s setup for shared hosting. If your plans are to use dedicated hosting, confirm whether the provider provides a dedicated network, along with dedicated firewalls to isolate your servers.
How a data center provider secures their facility is important when it comes to PCI compliance. For personnel to gain access, they need two levels of authentication, one being some type of biometric scanners (e.g., fingerprints or thumbprints).
You also should verify whether your data center provider has redundant power, both at the server level and at the facility itself. Most servers have multiple power supplies. This setup allows for the server to get power from two separate circuits. The data center should have redundant power from either two separate power sources or backup generators. Confirm with your provider whether they have suffered a power outage, how they handled it, and what they did to prevent downtime in the future.
Cloud computing is taking the industry by storm, but traditional secure steps still apply when using remote services.
- Consider not storing sensitive information in the cloud
- Have separation so not everyone can see all data
- Implement encryption
- Have legal arrangements with the provider
Although cloud computing is growing in popularity, common sense still applies when using this type of service. When you do not understand something, ask the provider for clarification. For example, because cloud computing is meant to offer highly scalable and geographic redundancy, your data could be stored in different locations. Ask the provider whether they can store the data in certain locations for legal reasons. Ask if the provider uses SAS 70 auditing. See the Industry Security Standard section below for more information on SAS 70.
Industry Security Standards
There are industry-level measurements to help determine baselines for securing information. Depending on your requirements, you could need one or more common items. Here is a list to check with your provider.
- PCI compliance
- SAS 70
- Compliance Scanner
PCI (Payment Card Industry) compliance is an industry-driven cooperation by several leading companies to protect account data. For more information, go to https://www.pcisecuritystandards.org/
HIPPA (Health Insurance Portability and Accountability Act) was enacted by the U.S. government in 1996. The primary reason is to provide standards when it comes to health information. For more information, go to http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
SAS-70 stands for Statement on Auditing Standards. According to Wikipedia, “SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report.” For more information, go to http://en.wikipedia.org/wiki/SAS-70.
When you're responsible for securing an e-commerce website, there are third-party providers who will scan and report any vulnerability. I run a Web site that sells a program called IISLogs (http://www.iislogs.com). When I first started my own e-commerce site, I contracted a service that scanned my site monthly. They would send a notification if there were issues. The monthly scans were helpful and cost effective. You may have the option to handle the scanning yourself.
One popular open source tool is called Nessus (http://www.nessus.org), by Tenable Network Security. Nessus has evolved to a paid product over the past few years, but they still offer an open source version. Other scanners provide similar functionality. Check with your security administrator to see if they have a service to perform timely scans.
PCI compliance is the most common because Web sites usually offer e-commerce functionality. Finding a Web hosting provider that has met one or more standards can tell a lot about the provider. When you're determining your requirements, you should identify whether you need to meet any of these standards.
A crucial part of security management is protecting log files. If your Web site is compromised, a hacker will try to cover his tracks by removing log files and event log entries.
- IIS Logs
- Event Logs
- Custom Application Logging
I suggest a strategy where logs are stored on a remote server or cataloged using a tool such as ArcSight (http://www.arcsight.com ). ArcSight monitors your machine's log files. ArcSight offers other tools to help manage logs and audit for compliance. Windows Server 2008 provides the Windows Event Collector service, which allows event log entries to be forwarded to a remote source (http://msdn.microsoft.com/en-us/library/bb513659(VS.85).aspx).
Whether you use a third-party solution or built-in tools, having a log file strategy is critical for maintaining your environment, especially in web hosting. For a dedicated client, you’ll have more say on a log strategy versus a shared environment. Ask your provider about their log file policy. It would not hurt to download your log files periodically and review them using local tools.
Here are additional technologies and what to check for.
- Email security
- File Transfer
- SQL Server Security
DNS security should include having recursion disabled and protecting against DNS poisoning. You can find a great resource on DNS information at http://www.dnsstuff.com.
Email security is critical to preventing viruses from being spread. Ensure that your provider has virus checking and spam detection—and that they preventing spam from ending up in your inbox. Since 99.9 percent of email is unsolicited, it’s critical that your provider keep up-to-date on current viruses and spam methodologies.
FTP (file transfer protocol) has been around for many years and it’s still a popular way for Web hosting to transfer files back and forth. There are three forms: 1) FTP 2) FTPS 3) SFTP. FTP sends credentials in clear text and can easily be compromised. FTPS (FTP over SSL) uses FTP while encrypting the connection between the client and server. Microsoft released the FTP 7.5 module, which supports FTP over SSL. SFTP, based on SSH, is popular in the UNIX space.
Database security should be considered when developing your application. Using Windows accounts over SQL Server accounts is one additional step to not have user accounts stored in application configuration files.
You'll find a variety of websites that track all kinds of threats and provide up-to-date information. Some of the sites provide mailing lists and offer monthly notifications. At a minimum, you should sign up for the monthly patching list from Microsoft. Here are some of the sites:
- CERT coordination Center -- http://www.cert.org/
- Focuses on multiple platforms including having BugTraq mailing list -- http://www.securityfocus.com/
- Offers Security Training, certification and research -- http://sans.org/
- Microsoft Security Center where bulletins are posted -- http://technet.microsoft.com/en-us/security/default.aspx
- The Microsoft Security Response Center (MSRC) -- http://blogs.technet.com/msrc/
- Lots of checks from DOD -- http://iase.disa.mil/stigs/checklist/
- Hacking Exposed book series: Excellent resource for a hacker perspective -- http://hackingexposed.com/
Think Like a Hacker
The last piece of advice I can add is thoroughly test your application. Once you think your application is ready, try doing some malicious activity to see how your application behaves. Take application testing a couple steps further, think like a hacker and see how your application behaves. You might be surprised.
Steve Schofield has been a senior systems administrator for a Windows-based hosting provider. He had one of the first websites to run ASP.NET in production. He was an ASP.NET MVP from 2002 to 2006 and has been an IIS MVP since 2006. He's currently a Senior Support Specialist for a large Midwest company.