How to harden Apache Tomcat?

This is using MS Windows 2008 R2 Server. This server is setup as a web server using Tomcat Apache 7.0.42. In order to "sustain" the possible attack/hacking from Internet, the system need to be hardened. Btw, how to harden the web server? Where do I find the relevant article/information?

Appreciate for help.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Always principle of hardening to remove/disable unnecessary account (default, orphaned, redundant, test accts etc) , services (file transfer, directory browsing etc) and interfaces (port and connection). These are subjected to exposure and constant knocking and fingerprinting by the attacker to find that single hole. Run online security assessment to surface weakness esp if you are running CMS (using CMSMap tool) and having SSL connection (using ssllab test), in short do pentest the server.

Use of SCAP compliant scanner (see the NIST STIG Checklist too) may be consider as well as CIS benchmark used widely as hardening baseline. The CIS (need membership but can explore further here, though it may not be of exact version stated but the base fundamental will no differ).

Overall, NIST has a good checklist (pdf) to run through for the aspect of web server (see "5. Securing the Web Server" and "6. Securing Web Content"). The full no of checklists summary are collated in the pdf reference as "Appendix E-Web Server Security Checklist", can be a good checker for a start.

To add, OWASP practices should not be missed out either. It has a comprehensive cheatsheet listing  , but I suggest you check out -"Attack Surface Analysis Cheat Sheet " and "Web Service Security Cheat Sheet ".

There are quite a large scope for hardening so I do suggest focus on the principles and the NIST pdf checklist to start going first. Hope it helps
MichaelBalackAuthor Commented:
Hi Btan,

Thanks for your comments and articles. Let's me go through the suggested article chapters and then update you.
btanExec ConsultantCommented:
Sure no worries, they are guidelines, but primarily it still need to be contextualised in your environment which you be well aware than most. I also tend to advice we need to be inquisitive in the worst off case when (not "if") something bad happened, are we readily prepared...Wrote something on question to ask just for your info if that helps...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

MichaelBalackAuthor Commented:
Hi btan,

Thanks for your prompt suggestion and sharing. Please give me some time to go through the suggested link. I am get back to you sooner.
btanExec ConsultantCommented:
no worries
MichaelBalackAuthor Commented:
Thanks for btan in pointing out the core of the hardening on Apache. However, I won't have the chance to implement it yet as the whole hardening project will be pending to next quarter.
btanExec ConsultantCommented:
thanks but do always go by secure by default principle where not unnecessarily "open" up default account and service to "free" access and probing from public access ..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.