Web-server configuration

You will find below some of the main best practices related to web-server (Apache/IIS) configuration.

  • Change default error pages.

  • Disable old SSL version and ciphers:

    On Apache, edit /etc/apache2/mods-available/ssl.conf. Here is an example:

    • SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    • SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1

    On IIS (see the documentation), perform the following configuration:

    • Add registry subkey in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    • To enable the system to use the protocols that will not be negotiated by default (such as TLS 1.2), change the DWORD value data of the DisabledByDefault value to 0x0 in the following registry keys under the Protocols key:

      SCHANNEL\Protocols\TLS 1.2\Client

      SCHANNEL\Protocols\TLS 1.2\Server

    Disable SSL x.0

    SCHANNEL\Protocols\SSL 3.0\Client: DisabledByDefault: DWORD (32-bit) Value to 1

    SCHANNEL\Protocols\SSL 3.0\Server: Enabled: DWORD (32-bit) Value to 0

  • Remove the TRACE method:

    On Apache, edit in /etc/apache2/conf.d/security: TraceEnable Off

    On IIS (see the documentation), perform the following configuration:

    • Make sure that Request Filtering role service or feature is installed.
    • In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb. In the Actions pane, enter TRACE in the open dialog.
  • Remove the banner:

    On Apache, edit /etc/apache2/conf.d/security:

    • ServerSignature Off
    • ServerTokens Prod

    On IIS, perform the following configuration:

    • Install URLScan.
    • Edit the Urlscan.ini file to have RemoveServerHeader=1
  • Limit query size to prevent important files from being uploaded:

    On Apache, add the LimitRequestBody directive (size in bytes) in / directory.

    <Directory />
        Options FollowSymLinks
        AllowOverride None
        LimitRequestBody 10485760

    On IIS (see the documentation), set the maxAllowedContentLength (maximum allowed content length) in the content filtering options.

Related topics:

On this page