MichaelBalack
asked on
How to harden Apache Tomcat?
This is using MS Windows 2008 R2 Server. This server is setup as a web server using Tomcat Apache 7.0.42. In order to "sustain" the possible attack/hacking from Internet, the system need to be hardened. Btw, how to harden the web server? Where do I find the relevant article/information?
Appreciate for help.
Appreciate for help.
ASKER
Hi Btan,
Thanks for your comments and articles. Let's me go through the suggested article chapters and then update you.
Thanks for your comments and articles. Let's me go through the suggested article chapters and then update you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi btan,
Thanks for your prompt suggestion and sharing. Please give me some time to go through the suggested link. I am get back to you sooner.
Thanks for your prompt suggestion and sharing. Please give me some time to go through the suggested link. I am get back to you sooner.
no worries
ASKER
Thanks for btan in pointing out the core of the hardening on Apache. However, I won't have the chance to implement it yet as the whole hardening project will be pending to next quarter.
thanks but do always go by secure by default principle where not unnecessarily "open" up default account and service to "free" access and probing from public access ..
Use of SCAP compliant scanner (see the NIST STIG Checklist too) may be consider as well as CIS benchmark used widely as hardening baseline. The CIS (need membership but can explore further here, though it may not be of exact version stated but the base fundamental will no differ).
Overall, NIST has a good checklist (pdf) to run through for the aspect of web server (see "5. Securing the Web Server" and "6. Securing Web Content"). The full no of checklists summary are collated in the pdf reference as "Appendix E-Web Server Security Checklist", can be a good checker for a start.
To add, OWASP practices should not be missed out either. It has a comprehensive cheatsheet listing , but I suggest you check out -"Attack Surface Analysis Cheat Sheet " and "Web Service Security Cheat Sheet ".
There are quite a large scope for hardening so I do suggest focus on the principles and the NIST pdf checklist to start going first. Hope it helps