Hardening web servers and ensuring server security is an important aspect of a vulnerability management program. Attackers could exploit the flaws in web servers which in turn may lead them to gain access to the systems hosting web servers and perform unintended actions.

Web server hardening involves:

  • Modifying the configuration file to eliminate server misconfigurations.
  • Managing SSL/TSL certificates and its settings to ensure secure communication between the client and server.
  • Restricting access permissions to the web server installation directory.

This guide will help you understand how to secure web servers hosted on Windows platform with Vulnerability Manager Plus.

Note: Vulnerability Manager Plus supports web server hardening for Apache, nginx, IIS, and Tomcat.

Steps involved in web server hardening:

  1. Start the VMP console.
  2. Navigate to threats> web server misconfigurations.
  3. Click on "view resolution" for each web server misconfiguration.
  4. Follow the resolution manually in the machine on which the web server is installed.

Modifying the configuration file:

This is applicable only if the resolution involves modifying web server configuration files. Graphical User Interface for accessing and modifying the configurations is not available for any other servers except IIS. Therefore, for Apache, Tomcat and nginx, you need to open the configuration file using a text editor such as notepad, notepad++ and perform the resolution mentioned. For IIS, the modifications to the server configurations can be made through "Internet Information Services(IIS) Manager".