Computer and Operating System Security

The last thing we will worry about protecting is the server computer on which the web application runs. There are a few ways to do this.

Keep the Operating System Up-to-Date

One of the easier ways to keep your computer safe is to keep the operating system software up-to-date. As soon as you choose an operating system for your production environment, you should set in to motion a plan for performing upgrades and applying security patches to it. You should also have somebody periodically check sources to look for new alerts, patches, or updates.

Where you find out about vulnerabilities depends on the operating system software you are using. Typically, this can be done from the vendor you purchase the operating system fromespecially in the case of Microsoft Windows, Red Hat SuSE Linux, or Sun Microsystem's Solaris Operating System. For other operating systems, such as FreeBSD, Gentoo Linux, or OpenBSD, you typically go to the web site representing their organized communities and see what security fixes they are recommending.

Like all software updates, you should have a staging environment in which you can test the application of the patches and verify their successful installation before you perform the operation on any production servers. This lets you verify that nothing has broken in your web application before the problem gets to your live servers.

Being smart with the operating system and security fixes is worth your while. If there is a security fix in the FireWire subsystem of a particular operating system and your server has no FireWire hardware, it is a waste of time to go through the whole deployment process for that fix.

Run Only What Is Necessary

One of the problems many servers have is that they come with large amounts of software running, such as mail servers, FTP servers, Microsoft file system shares (via the SMB protocol), and so on. To run our web applications, we need the web server software (such as IIS or Apache HTTP Server), PHP and any related libraries, the database server software, and not much else.

If you are not using these other pieces of software, shut them off and disable them for good. That way, you will not have to worry about them being safe. Users of Microsoft Windows 2000 and XP operating systems should run through the list of services that their server is running and shut off the ones not needed. If in doubt, do some researchit is highly likely that somebody on the Internet has asked (and received an answer to) what a particular service does and whether it is necessary.

Physically Secure the Server

We mentioned previously that one of our security threats is somebody coming into our building, unplugging the server computer, and walking off with it. This is not a joke. With the average server being an expensive piece of hardware, the motivations for stealing server computers are not limited to corporate espionage and intellectual theftsome people might want to steal the computer for resale.

Thus, it is rather critical that servers used to run your web applications are kept in a secure environment, with only authorized people given access to it.