Securing an application server that has a webserver installed

I have a Windows Server that has an ERP application  where all  internal employees reach to be able to work.
Now is needed to install a webserver (apache) for outside clients can see reports using a webbrowser.

What is the common and safe way to set this on a network ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
> What is the common and safe way to set this on a network ?

it depends how you define the "safe way"...

you need to first clarify what you want to protect? the web server (not hacked and always online) or the data (not compromised and not accessible for unauthorised users)? or both?
btanExec ConsultantCommented:
I do suggest separate web and appl tier if possible to segregate exposure as most of the time web appl are more vulnerable and having appl tier in same machine just increase the risk of appl service being breach. Furthermore, since it is originally only for intranet access, it does warrant to be secure and err on safe side not to over exposed. (see the part on virtual patching and use of EMET)

Hence as a relook the use case for the report via internet,
- only allow secure remote access with limited user or authorised user based
- only allow limited report sanction for access via the Apache web server as proxy to ERP appl services
- consider even only exposing such duplicate cache copies in Apache web server to reduce the multiple access to ERP
- consider segmenting out an DMZ to isolate directly bridging possibility via this same machine, ideally can be separate machine and with FW as the tier checker of every transaction flowing in and out through them only, with policy rule enforced.
- consider application aware proxy (or FW) for high risk exposed server such as Apache server in the web tier and even augment appl aware FW with Web appl FW capable devices or software installed with Apache

It seems overboard but the whole idea is still to reduce exposure and add on
- with stringent rule tightening at the web tier FW e.g. just open HTTPS or SFTP based on your remote access policy.
e.g. If there is no strict remote access, consider having authentication login via HTTPS prior to access. Go for TLS (no SSLv3 and below minimally at Windows OS level hardening ).
e.g. If remote access is considered VPN setup (on user identity with smartcard ideally or second factor equivalent) for channel confidentiality (pt to pt protection) first then the actual authorisation and authentication prior to granting data access (end to end access).

- harden the Apache facing the internet or public accessible segment esp in aspect (though in Linux but the config should still be applicable, but subject it to testing at staging first to assess if break any appl services and access)
e.g. Apache SSL Hardening: disable SSL v3 support, Restrict Apache Information Leakage and Web Application Firewall - ModSecurity.

Overall, general guideline to hardening is to
- avoid low hanging such as use of Open CMS like Joomla, Wordpress etc (if needed patch them readily and timely).
- enforce available directives in php.ini (if applicable) to lock down services or access control
- enforce regime to verify the ips/fw configuration on ingress and egress check at tier level.
- consider having the outbound check for leakage using FW or equv capability to check for potential sensitive info
- review all web and appl request processes in server on the service account used, run using user of least privilege
- avoid use of super admin or default account admin setting, have role based assignment with clear access matrix
- avoid administration via the public accessible interface, if needed enforce multi-factor authentication and restrict to certain range of authorised machine admin.

Pardon me for the lengthy pitch and being conservative, it is always part of security due diligence.
edu87Author Commented:
> What is the common and safe way to set this on a network ?

it depends how you define the "safe way"...

you need to first clarify what you want to protect? the web server (not hacked and always online) or the data (not compromised and not accessible for unauthorised users)? or both?

I am more worried about the server that holds the system (ERP), I don´t want to hackers be able to enter in that server and mess up the thing plus entering inside the lan.

note: It is not a huge company, so I don´t have to much money to spend for provide an extraordinary protection.
btanExec ConsultantCommented:
Protect the critical data and if ERP db is there, the whole servers and its external interface minimally need to be harden at the server level, lockdown of appls interfaces by reducing the services and allow only authorised and restrict account access to least privileges. Network segregation of the ERP services with layer which web layer is the first and multi-tier by Firewall to filter authorised web/app calls to ERP DB. It can still be single firewall with VLAN to cut cost and VM in single physical host for web/appI while DB stays in another physical server. Will say these are bare minimal if poss, esp if such system are internet accessible or remote accessible.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.