You just finished ramping up a new client. Everyone is logging on using complex passwords, the workstations and servers are on a regular patching schedule, the servers are getting backed up, the Wi-Fi is configured, and the printer is shared. The whole environment is running like a well-oiled machine—you’ve thought of everything! Or have you?
Well, if your client has a website (and who doesn’t, these days?), then they are probably going to ask you about that too. As their MSP, you are handling all of their computing needs, right? If you think that doesn’t involve making sure their website is secure, think again.
The good news is that, unlike large enterprises, most SMBs have small, static sites that do not take much effort to maintain or secure. The five items outlined below will help you to easily improve your client’s website security and return you to “hero-MSP” status in no time!
Of course, while these practices are helpful when securing any website, more complex sites—such as those involving user credentials, databases, scripting, file uploading, or sensitive information (such as PCI, PII, PHI, etc.)—require much more extensive methods to maintain and secure. Some of the issues to consider for these more complex scenarios are mentioned at the end of this post.
1. Find a reputable hosting company.
There are no shortage of companies offering to host websites. Do your homework to find a hosting provider that will meet your client’s needs both now and in the future. Compare features and support offerings. Some questions to frame this research include: Do you want to find a domain registrar that also hosts the website, or do you want to handle that separately? Do you want the provider to handle the DNS for the site, or you want to do that separately? Do you want to take care of the web server’s OS, or do you want the hosting company to do that? What is the upload/update functionality like? Do you need 24/7 support and, if so, does the provider offer that?
Alternately, you can host the website for your client yourself, either from your datacenter or cloud, or even on the client’s premises. If you do that, you don’t have to worry about a hosting company—but you are on the hook for maintaining and protecting the server(s) hosting the site yourself. Don’t be so quick to dismiss the idea; this route might be lucrative if you end up hosting sites for several clients.
2. Protect the site with a TLS certificate.
Regardless of where the site is hosted, you will want to secure it with a TLS certificate. Simply put, the certificate is what causes browsers to use HTTPS instead of HTTP when visiting the site. These certificates used to be (and by some still are) called SSL certificates. Some domain registrars like GoDaddy, offer TLS certificates along with their web hosting. If you aren’t comfortable with certificates, this may be the way to go. However, if you are comfortable with creating and submitting a Certificate Signing Request (CSR) to a Certificate Authority (CA) and installing the resulting certificate on your web server, or if you want to learn how to do these tasks, then you may want to go with a dedicated CA, like Digicert, Entrust, or GlobalSign.
And, if you are wondering of your client’s site really needs a certificate, think again. The “good old days” of installing certificates on some sites and not others are long over. The cost and effort are well worth it, especially since browsers are getting better and better at flagging non-HTTPS sites these days.
3. Keep your web server up-to-date.
If you do decide to host your client’s web server, or if your hosting agreement specifies that you manage the web server’s operating system, make sure that you take the time to keep the server up-to-date regarding patches and updates. And, focus on the areas you're comfortable with. Are you a Linux/Apache guru? Then stick with that. Are you more of a Windows Server guy/gal? Then you should be running an IIS server. Your client’s web server is not the place for you to learn new things and make mistakes. Stay in your comfort zone and save the learning for your lab!
Avoid revealing too much in error messages.
Even though this post is about securing your client’s website, it goes without saying that you should always try to maximize the performance of your client’s web server by tweaking the OS and server config. However, one tweak that far too many people forget is to turn off revealing error messages. Does your server’s default “Page Not Found” page reveal the server’s operating system or server version? The less you reveal to the world, the better!
4. Limit access.
This is more of a network security consideration and applies if you manage the server hosting the website. Obviously, you need to allow access to the web server from the Internet, but that access should be as limited as possible. The web server should be behind a firewall in segregated network called a demilitarized zone (or DMZ) and the access you allow to it should only be on port 443 (HTTPS). Of course, if you decided to not install a TLS certificate on the server, you will have to allow port 80 (HTTP). Important: NO other access should be allowed to the web server from the public Internet! When you need to manage the server, you should be accessing it from the inside, not from the outside. If you open other ports to your web server from the outside, it won’t be long before that sever is under someone else’s control.
Likewise, there should be no access from the web server into your customer’s internal network (or your network if you are hosting the server from your datacenter). If the web server does get compromised, the systems on the internal network are now at risk if there is any access allowed in from the web server.
A good rule of thumb here is that access should always be granted toward the web server, not the other way around!
5. Test, test, test.
Last, but certainly not least, is testing. I cannot stress this enough. Once you have the web server up and running, try to access it on a port other than HTTPS. Try to discover information about the web server, such as its operating system or other applications running. Poke at it. Break into it if you can. You will learn a lot by trying, and even more if you succeed.
However, don’t worry if you don’t feel comfortable testing the security of the web server yourself. There are plenty of testing tools out there, some free and some paid. Some examples at the time of this writing are Pentest-Tools, Metasploit, Nmap, and the Burp Suite. Leverage the knowledge of security experts to help you find the holes before the bad guys do!
If you follow these five best practices, you will be well on your way to comfortably manage and secure web servers for your clients. Of course, while the advice in this post is sound, it is geared toward a small, relatively simple site for a small business.
Topics concerning web security can be large and multi-faceted, so if you find yourself with a larger client and start encountering topics such as: the storing of sensitive data, credentials and password complexity, SQL Injection, cross-site scripting, file uploads and downloads, load-balancing, etc., you should know that you are venturing into this territory and you will probably want to consider hiring a specialist that is an SME in website security and management.
By Lily Teplow
By Brian Downey
By Dave LeClair