The configuration of web and application servers is a very important aspect of web applications. Often times, failure to manage proper configurations can lead to a wide variety of security vulnerabilities within servers and environments. When these configurations are not properly addressed or ignored, the overall security posture can suffer. Sometimes the biggest problem that organizations face is that these flaws are not being identified or addressed. Instead, in many cases, configurations are not changed because of the ideology of “if it is not broke, don’t fix it”. This being a big misconception as more than likely, while a problem has not risen yet, that does not mean that they are not vulnerable to the risk.
Misconfiguration of security is a serious flaw that can actually be found as one of the top ten most critical web application security risks published by OWASP. This list represents a project by a broad consensus of security experts of team members that determine the most critical security risks to web applications. Currently this vulnerability is considered number six on this list.
So what can be done about these insecure configurations? Well, many configuration vulnerabilities can be detected by simply understanding the environment with network diagrams, spreadsheets, and IP databases as well as regular security scanning. Identification is where it all begins. An organizations should first know what applications they have on their environment so they can properly protect it. This can be accomplished with active and passive discovery scans to locate everything and produce an inventory. During the discovery phase, all information should also be classified, sensitive data defined, and all labels completed. Sensitive data being anything that is not public or unclassified, Personally Identifiable Information (PII), Protected Health Information (PHI), or proprietary data. One great tool for asset discovery scanning is called Nmap. This is a free and open-sourced scanner used to discover hosts and services by sending packets and analyzing the responses.
After you know what is on your network, the next step should be to begin scanning internally and externally for known configuration vulnerabilities. This process typically uses software tools to scan entire networks (or designated ranges) for possible known security vulnerabilities; as well as provide information about the vulnerability, possible solutions to fix the problem, and an idea of the risk that it imposes on the security posture and strength of the network. Some automated tools that can be used to complete this are OpenVAS, Nessus, Nexpose, or Qualys to name a few. Scanning is a pretty simple process, but there are still a few things to keep in mind. Some systems can be fragile such as printers, Industrial Control Systems (ICS), and phone systems; so take care when including these. Schedule daily jobs to keep on top of everything. Lastly, use a central point to pull data back to and flag key points such as new systems and applications.
Once asset discovery and vulnerability scanning is complete, a guideline for the configuration should be created. This guideline should start with the existing vendor recommended configuration as a baseline, and then modified based off of security organization’s recommendations as well as vulnerability testing results. Once complete, these guidelines should be followed and maintained.
The overall process of identifying and addressing security misconfigurations is a process that should be reviewed and compared to previous testing regularly to assess the progress and overall security posture of the organization. This regular maintenance should include monitoring for the latest security vulnerabilities released, applying the most up to date security patches available, updating the security guidelines, completing regular asset and vulnerability scanning, and regular documentation. Always remember to follow up on any potential threats or flaws in the system. It is OK to disregard some items as false positives, or even to accept them as an acceptable risk, but keep this documented at all times.
Don’t let simple configuration flaws be the difference between a solid security posture and one that is vulnerable to simple attacks. It does not take much to maintain recommended configurations within your system and ensure that everything is up to date and working properly. Once the initial process has been established to create a guidelines, configuration management systems are also available to help standardize configurations to avoid constant maintenance and effort. Once implemented, management systems can be even set up to be semi-automated or completely automated for the configuring process. But even if automated, the process should still be regularly reviewed and maintained.
In the end, it is worth it to simply set up your organization’s web and application configurations to stay protected against vulnerabilities and attacks.