How can I protect against inbound malicious website threats on port 80 and 443?
We have a web app that lives on port 80 and 443 on a windows server with IIS.
Everything else is locked down. Physical Firewall with VPN.
What is the name given to attacks that come through the web ports like this?
Are these types of malicious software payloads able to execute on the server if you have no protection?
How can we protect from attacks through IIS on port 80 and 443 of the type below?
(Here we've used malwarebytes but I'd like something with central reporting for several servers if possible)
They look like the sort of malicious software you would be warned about if you clicked a bad link, but in this case they are inbound without you clicking on anything.
As far as I know, there are many ways to secure iis web server through configuration, for example:
1.Use end-to-end encryption
- If you have reverse proxy and/or load balancer in front of your web servers, prefer to use SSL-bridging instead of SSL-offloading
- Disable older SSL/TLS versions than TLS 1.2
- Disable weak cypher suits
- SSL/TLS and cypher suit settings are server-wide settings, and IIS supports whatever the OS supports. However, for .NET applications check the below article:
Transport Layer Security (TLS) best practices with the .NET Framework:
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
2.Configure "Request Filtering":
"Allow unlisted file name extensions": Uncheck (allow only the extensions you will use; add "." to allow extensionless requests)
"Allow unlisted verbs": Uncheck (allow only the verbs you will use)
Lower "request limits" if possible
Request Filtering
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/
3.Remove HTTP headers which identifies the server and application. These headers are believed to cause security vulnerability:
- removeServerHeader
- Remove Unwanted HTTP Response Headers
For more ways you can refer to this link: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/iis-best-practices/ba-p/1241577
- How to best utilize ASP .NET Membership database?
- how to secure my website
- Understanding CSRF
- Why can't a malicious site obtain a CSRF token via GET before attacking?
- REST API from mobile app - Does securing the first call with a CAPTCHA make sense?
- How to disable access security notice "A Potential security concern has been identified"
- Addressing critical vulnerabilities in Maven dependencies
- IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'
- How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows
- Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- How can I skip old vulnerabilities and break only with new ones using Snyk scan on Azure DevSecOps?
- Generating a random password in php
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Securely storing an access token
- Why does angular add ng-version attribute to the app-root html tag
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- Conditional Column-level permissions in PostgreSQL
- Embedding youtube video "Refused to display document because display forbidden by X-Frame-Options"
- How can I prevent SQL injection in PHP?
- IFrame security and CORS
- Should I impose a maximum length on passwords?
- <app> would like to access data from other apps - macOS Sonoma
- SELinux syntax error when optional is used inside a tunable_policy macro
- Generate cryptographically secure random numbers in php
- How to get through security error pages in the Firefox web browser?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?
- Read/write to NFC tag with password protection
- Request for the permission of type 'System.Security.Permissions.FileIOPermission.. failed
- Azure blocks POST requests from User-Agent Mozilla/5.0 to App Service
- How to read a HttpOnly cookie using JavaScript