How can I protect against inbound malicious website threats on port 80 and 443?
We have a web app that lives on port 80 and 443 on a windows server with IIS.
Everything else is locked down. Physical Firewall with VPN.
What is the name given to attacks that come through the web ports like this?
Are these types of malicious software payloads able to execute on the server if you have no protection?
How can we protect from attacks through IIS on port 80 and 443 of the type below?
(Here we've used malwarebytes but I'd like something with central reporting for several servers if possible)
They look like the sort of malicious software you would be warned about if you clicked a bad link, but in this case they are inbound without you clicking on anything.
As far as I know, there are many ways to secure iis web server through configuration, for example:
1.Use end-to-end encryption
- If you have reverse proxy and/or load balancer in front of your web servers, prefer to use SSL-bridging instead of SSL-offloading
- Disable older SSL/TLS versions than TLS 1.2
- Disable weak cypher suits
- SSL/TLS and cypher suit settings are server-wide settings, and IIS supports whatever the OS supports. However, for .NET applications check the below article:
Transport Layer Security (TLS) best practices with the .NET Framework:
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
2.Configure "Request Filtering":
"Allow unlisted file name extensions": Uncheck (allow only the extensions you will use; add "." to allow extensionless requests)
"Allow unlisted verbs": Uncheck (allow only the verbs you will use)
Lower "request limits" if possible
Request Filtering
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/
3.Remove HTTP headers which identifies the server and application. These headers are believed to cause security vulnerability:
- removeServerHeader
- Remove Unwanted HTTP Response Headers
For more ways you can refer to this link: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/iis-best-practices/ba-p/1241577
- How to make Google Analytics respond to "Do Not Track"
- Implementing Custom Expression Handling with Spring Security 6
- What are the security concerns for JSF?
- App attestation failed with Firebase App check in release on Android
- SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
- When should I use the deny access functions in Symfony 4.4 controllers?
- Install two traefik ingress controller on same kubernetes Cluster
- Logon events from within credential provider
- How to give access to my API for a mobile app?
- How to verify a JWKS's integrity and authenticity
- Changes in the front-end (Vue.js) part of the PatrolHears project (open source code)
- ECPrivateKey to ECPublicKey without BouncyCastle
- What TargetName to use when calling InitializeSecurityContext (Negotiate)?
- java.security.NoSuchAlgorithmException:Cannot find any provider supporting AES/ECB/PKCS7PADDING
- Which procedure is more secure for encryption using Password and Seed
- Source security group isn't working as expected in AWS
- Google Authenticator available as a public service?
- Where do you store your salt strings?
- Can other software programs deny access to data sealed in a PCR of a TPM by extending measurements to that PCR?
- How do I skip certains rules for parameter in a path in ModSecurity?
- Facebook image URLs - how are they kept from un-authorised users?
- How to serve attachments privately using Rails?
- java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER]
- <app> would like to access data from other apps - macOS Sonoma
- IdentityServer4 and SSO
- How to prevent Screen Capture in Android
- Prevent QR code from being copied and QR code should be scanable by my mobile app only
- How to pin the Public key of a certificate on iOS
- Preventing to send requests from different devices
- Clarification regarding SOC-2 compliance in multiple locations