...
Patch and/or upgrade operating system to maintain the OS in a secure state. Security patches should be applied within 30 days of release.
Configure operating system to meet vendor/system best practices
Principle of Least Privilege
Disable all services which are not necessary.
All accounts should have the only required permissions
Remove or disable unnecessary accounts
Change all default passwords and ensure they meet Lehigh password guidelines
OS should be maintained by a qualified administrator. Contact LTS for support options if a local qualified administrator is not available.
Lehigh security tools are installed and properly configured. This will include endpoint detection, host firewalls, IDS, and others.
Patch and/or upgrade server components which have critical/high security flaws. This includes, but is not limited to Apache, IIS, PHP, NGINX, and others.
Configure Web server to meet recommended best practices.
Disable all unnecessary services
Configure to prohibit access to not intended for public distribution. Disallow directory browsing.
Separate web server directories from operating system and application directories
Use secure encryption technologies such as TLS. Should be configured to redirect to https following http strict transport.
All web services should must be accessible using exclusively via HTTPS on port 443. Plain-text HTTP on port 80 should be completely disabled entirely if possible, if feasible. SSL certificates must be maintained to ensure the integrity and confidentiality of data.
This can cause problems for users with old bookmarks or who type domain names manually. If this is of concern, HTTP on port 80 may be enabled and must be configured to return a 301 "Permanently Moved" redirect to HTTPS if accessed by clients.
Web server responses should include the
Strict-Transport-Securityheader with an appropriately largemax-age.
e.g.
Strict-Transport-Security: max-age=31536000(where 31536000 seconds is one year)
HTTPS must be configured to use TLS 1.2 or 1.3.
All versions of SSL, along with TLS 1.0 and TLS 1.1 must not be used.
Weak TLS cipher suites should be disabled.
A list of cipher suites with security ratings and explanations can be found at https://ciphersuite.info/cs/?security=all&sort=sec-desc&singlepage=true . Prefer algorithms labeled 'Recommended' and 'Secure'.
Any cipher suite with the following keywords must be disabled:
NULL,anon,EXPORT,RC4,DES,3DES,MD5Contact security@lehigh.edu if you require assistance with selecting and configuring cipher suites.
Implement firewalls to restrict access to the web server. Only allow traffic to necessary ports (typically 80/http and 443/https).
Web server administrators are responsible for ensuring they are receiving, reviewing, and reacting to vulnerability reports monthly. Please contact security@lehigh.edu to schedule vulnerability reports/tickets.
Enable logging and connect to Lehigh’s central logging service.
Enable detailed logging on web servers. Ensure that logs include access logs, error logs, and security logs.
System backups - Based on the criticality of a system web content, application configs and operating system should be backed up.
...