Best Practices for Security on Your New Ubuntu Server: Users, Console and Firewall

Reading Time: 4 minutes

Thank you for taking the time to review this important information. You will find this guide broken down into six major sections that coincide with Ubuntu’s security policy guide. The major topics we talk on throughout these articles are as follows:

Continue reading “Best Practices for Security on Your New Ubuntu Server: Users, Console and Firewall”

How to Secure a Site in IIS

Reading Time: 6 minutes

When investigating site infections or defacing on a Windows Servers, the most common root cause is poor file security or poor configuration choices when it comes to how IIS should access file content.  The easiest way to prevent this is to start with a secure site.

Setting up a website in IIS is exceedingly easy, but several of the default settings are not optimum when it comes to security or ease of management.  Further, some practices that used to be considered necessary or standards are no longer or were never necessary, to begin with. As such, we recommend that you follow these steps to set up a website to ensure that it is set up correctly and securely. And while some of these setting or permission changes may seem nitpicky, they go a long way on systems that host multiple domains or multiple tenants as they prevent any cross-site file access.

 

Add the Site to IIS

To add a website in IIS (Internet Information Services),  open up the IIS manager, right-click on Sites, and select Add Website.When adding a site to IIS, we typically recommend using the domain name as the “Site name” for easy identification.  Next, under “Physical path”, you will need to supply the path to where your website content is located or use the “” to navigate to and select the folder.  Configuration options under “Connect as…” and “Test Settings…” do not need to be modified.

When it comes to configuring site bindings, popular belief suggests that you should select a specific IP from the “IP address” drop dropdown; however, that is based on out of date practices typically in relation to how SSLs used to require dedicated IPs.  This is no longer necessary and can actually cause issues when getting into any eplicated or highly available configuration, so it is best to leave IP addresses set to All Unassigned and type the domain name you plan to host in the “Host name” field. Do note that you can only supply one value here; additional host names can be added after creating the site by right-clicking on the site and going to Bindings.  Further, depending on your needs, you may opt to select “https” instead of “http”. To host a site with an SSL, please visit our article on the subject after setting up the site to add an SSL and configure it.

 

Set the Anonymous User

Technically that is all you need to do to set up a site in IIS; however, the site may or may not work, and the security settings on the site are not optimum. The next step in securing your site is to configure the IIS user that will access your files. To do this, you will need to change the associated Anonymous user and make a few security changes on the website’s content folder.

In IIS, select your new site on the left, in the main window double click on Authentication, select Anonymous Authentication, and then click “Edit…” on the right action bar.

 

What is IUSR in IIS?

By default, a new site in IIS utilizes the IUSR account for accessing files.  This account is a built-in shared account typically used by IIS to access file content. This means that it will use the application pool’s identity (user) to access file content.

It may be okay to leave this configured if you only plan on hosting one domain; however, when it comes to hosting multiple domains, this is not secure as it would then be possible for any site using the same account to access files from another site.  As such, and as a standard practice, we recommend switching away from using the IUSR account for sites, and instead selecting “Application pool identity” and clicking OK. Alternately, you could manually create a user on the system for each site; however, then you need to manage credentials for an additional user, need to configure permissions for two users (the anonymous user and the application pool user) and possible complications with password complexity and rotation requirements your server or organization may have.

There is nothing further you need to configure in IIS in terms of security; however, for reference, let’s take a look at the application pool settings really quick.  To check the settings on the application pool, in IIS, select Application Pools on the left menu, select the application pool for the site you created (typically the same name as the name of the site), and then click “Advanced Settings…” on the right action bar.

In here, the related setting is the identity, which by default is “ApplicationPoolIdentity”.  This means to access file content, IIS and the associated application pool will use a hidden, dynamic user based off the name of the application pool to access files.  This user has no associated password, can only be used by IIS, and only has access to files specifically granted to it. As such, it removes the requirement of managing system users and credentials.

 

Set Folder Permissions in IIS

Now, as mentioned, the “ApplicationPoolIdentity” user has very few permissions, so the next and last step is to ensure that the website files have proper security settings set on them. Browse through your file system and find the folder where you plan on hosting your site’s files. Right-click on the folder and go to properties. In the properties interface, select the Security tab.

By default, there are a number of security permissions set up on the folder that are unnecessary and potentially insecure (there may be more than shown here).  To best secure a site, we recommend removing all but the “SYSTEM” and “Administrators” groups and adding the “ApplicationPoolIdentity” user (and possibly any other user you may require, such as an FTP user); however, to do this, you will need to disable inheritance.  To do this, click on “Advanced”, then click on “Disable inheritance”.

 

Here you will get a popup asking if you want to copy the current settings or start with no settings.  Either option can work; however, it is easier to copy the current settings and then remove the unnecessary permissions.  So select “ConvertConcert inherited permissions into explicit permission on this object” and then click OK.

At this point, to remove the unnecessary permissions, click Edit and remove everything other than the “SYSTEM” and “Administrators” groups.  Next, you need to add the “ApplicationPoolIdentity” user to this folder. To do this, click “Add…”. Now, depending on your server configuration, you may get a pop-up asking for you to authenticate to an active directory domain.  Simply click the cancel button a few times until you get the Select Users of Groups screen shown below.

On this screen, you will want to make sure that the “Location” selected is your computer.  If it is not, click “Locations…” and select your computer (should be at the top; you may also need to click cancel on some authentication windows here as well).

The “ApplicationPoolIdentity” user is a hidden user, so it is not possible to search for this user.  As such, you will have to type the username to add it. The username you will need to type is “IIS AppPool\<applicationpoolname>“.  Please see the following example and fill yours out accordingly:

Once you type the user name, click OK.  Now that you’ve added the user, which is by default only granted read permissions, you will want to verify your security settings look similar to the following image, and then click OK.

And with that, you’re done and have a secure site ready to be viewed by the masses without needing to fear that hackers will deface it.

 

Securing within Powershell

As a bonus, if you’re looking to get your fingers wet with some Powershell, the steps covered in this article can also be accomplished on a Windows Server 2012 or newer server through Powershell.  Simply fill out the first two variables with your domain name and the path to your content, and then run the rest of the PowerShell commands to set up the site in IIS and configure folder permissions.

[String]$Domain = ‘<domain_Name>’

[String]$Root = ‘<path_to_your_content>’

Import-Module WebAdministration

#Create App pool & Website
New-WebAppPool -Name $Domain
New-Website -Name $Domain -HostHeader $Domain -PhysicalPath $Root -ApplicationPool $Domain
Set-WebConfigurationProperty -Filter system.webServer/security/authentication/anonymousAuthentication -Location $Domain -PSPath MACHINE/WEBROOT/APPHOST -Name userName -Value ''

#Optionally add www. Binding
New-WebBinding -Name $Domain -HostHeader www.$Domain -ErrorAction

#Remove inheritance (copy)
$ACL = Get-ACL $Root
$ACL.SetAccessRuleProtection($True,$True) | Out-Null
$ACL.Access | ?{ !(($_.IdentityReference -eq 'NT AUTHORITY\SYSTEM') -or ($_.IdentityReference -eq 'BUILTIN\Administrators')) } | %{ $ACL.RemoveAccessRule( $_ ) } | Out-Null
$ACL | Set-ACL

#Add IIS user permissions
$ACL = Get-ACL $Root
$acl.SetAccessRuleProtection($False, $True)
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$Domain", "ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($Rule)
$acl | Set-Acl

Additional Notes: In some cases, sites may need additional write or modify permissions on specific files or folders for file uploads, cache files, or other content.  It is important that you do not apply modified permissions to the entire site. Instead, modify specific directories or files as needed. To apply these settings, go to the file or folder that needs modification, right-click on it, and select Properties.  Switch to the Security tab and click Edit. In there, select the user that has the name of the website (liquidweb.com in my example above), select modify under the Allow column, and then click OK. This will give the ApplicationPoolIdentity and IIS the ability to write to or modify the file(s) or folder(s).

Still need additional protection for your Liquid Web server?  Our Server Protection packages provides a suite of security tools especially for Windows servers.  You’ll get routine vulnerability scans, hardened server configurations, anti-Virus and even malware cleanup, should your site get hacked. Don’t wait another vunerable minute, check out how we can protect you.

 

Install and Configure Mod_Security on Ubuntu 16.04 Server

Reading Time: 5 minutes

Mod_security, also commonly called Modsec for short, is a powerful WAF (Web Application Firewall) that integrates directly into Apache’s module system. This direct integration allows the security module to intercept traffic at the earliest stages of a request. Early detection is crucial for blocking malicious requests before they are passed along to web applications hosted by Apache web sites. This provides and extra layer of protection against common threats a server faces. This article will explore the installation of mod_security along with the CRS (Core Rule Set) in a Ubuntu 16.04 LTS Server running Apache 2.4. Continue reading “Install and Configure Mod_Security on Ubuntu 16.04 Server”

Windows Firewall Basics

Reading Time: 6 minutes

A firewall is a program installed on your computer or a piece of hardware that uses a rule set to block or allow access to a computer, server or network. It separates your internal network from the external network (the Internet).

Firewalls can permit traffic to be routed through a specific port to a program or destination while blocking other malicious traffic. A firewall can be a hardware, software, or a blending of both.

Continue reading “Windows Firewall Basics”

How to Upgrade Ubuntu 16.04 to Ubuntu 18.04

Reading Time: 6 minutes

If you are still using Ubuntu version 16.04, you may want to consider updating to the latest Long Term Support release, version 18.04. In this post, we will cover what a Long Term Support release is and why you would want to use it. You will also learn the significant changes between 16.04 and 18.04. Last, but not least, you will also learn how to upgrade your server from Ubuntu 16.04 to Ubuntu 18.04.

Continue reading “How to Upgrade Ubuntu 16.04 to Ubuntu 18.04”

How to Install and Configure Fail2ban on Ubuntu Server 16.04

Reading Time: 4 minutes

Have you ever logged into your server and seen a message like this?

Last failed login: Fri Dec 28 11:37:02 MST 2018 from 192.168.0.102 on ssh:notty
There were 942 failed login attempts since the last successful login.
Last login: Mon Dec 24 13:35:57 2018 from 192.168.0.101

What happened here?
Continue reading “How to Install and Configure Fail2ban on Ubuntu Server 16.04”

Install and Configure ownCloud on Ubuntu 16.04

Reading Time: 7 minutes

What is ownCloud?

Have you ever used an online collaboration tool or shared files with a co-worker, family member, or friend? You might have used email to send those files, or an online editor to work on a spreadsheet or text document at the same time.

But have you considered the security behind these platforms? Who is safeguarding your data, and who else might have access to it? How can you be certain that content is properly encrypted so that only the intended recipients see it, away from the prying eyes of disgruntled employees, rogue agents, third party data miners, or government agencies? Many people want a certain level of control over exactly who is able to see their sensitive data, and this is where ownCloud comes into play.

Continue reading “Install and Configure ownCloud on Ubuntu 16.04”

Kubernetes RBAC Authorization

Reading Time: 4 minutes

What is RBAC?

Kubernetes Role-Based Access Control or the (RBAC) system describes how we define different permission levels of unique, validated users or groups in a cluster. It uses granular permission sets defined within a .yaml file to allow access to specific resources and operations.

Starting with Kubernetes 1.6, RBAC is enabled by default and users start with no permissions, and as such, permissions must be explicitly granted by an admin to a specific service or resource. These policies are crucial for effectively securing your cluster. They permit us to specify what types of actions are allowed, depending on the user’s role and their function within the organization.

Continue reading “Kubernetes RBAC Authorization”

Remote Desktop Users Group

Reading Time: 4 minutes

The most common way to remotely manage a Windows server is through Remote Desktop Protocol. By default, Liquid Web’s Windows servers only allow the members of the administrators’ group remote desktop access. However, the Remote Desktop Users group grants its members access to securely connect to the server through RDP (Remote Desktop Protocol) as well.

This article will go over the basics of the Remote Desktop Users group. By the end, you will be able to add users to the group, understand permissions, and basic user management.

 

Pre-flight

The information below covers methods to configure the Remote Desktop Users group for Windows Server 2012 through Windows Server 2016 on any Liquid Web Windows server. As a valued customer, if you do not feel comfortable performing these steps independently, please contact our support team for additional assistance. Liquid Web support is happy to walk you through the steps and answer any questions you may have.

 

Managing Local Users and Groups

Users and groups on Windows servers are managed in a number of different ways, but the most user-friendly way is through the Local Users and Groups interface. There are several ways to open the interface. However,  the easiest is to run “lusrmgr.msc”. Lusrmgr.msc can be launched by searching the start menu, command line, or through a run dialog. These methods allow you to find users and groups easily.

Note
To manage local users and groups, you will need to be logged in with a user that has the proper permissions to do so. This is most commonly a user that is already a member of the Administrators group.
Within a windows server type in lusrmgr.msc into the search bar to locate Users where you can find existing users and groups.

 

User Management

Once you open the Local Users and Groups interface, you will see two folders on the left, one for Users, and one for Groups. By selecting Users, you will see a full list of local users on the server. You can also see a variety of related tasks by right-clicking Users, Groups, a user’s name, or a blank area of the middle pane.

There are several ways to add a new user through the Local Users and Groups interface. These methods all result in the same “New User” dialog box opening where you can then configure a Username, Password, and other options. Choose one of the options below to create a new user:

  • With the Users folder selected in the left pane, click the Action menu, then select “New User…”.
  • With the Users folder selected in the left pane, click “More Actions” from the right- hand pane, then select “New User…”.
  • Right-click the Users folder, then select “New User…”.
  • With the Users folder selected in the left pane, right-click in a blank area of the middle page, then select “New User…”.

Once you have created a new user, or have identified the username of the existing user, you are ready to assign that user to a Group. Users assigned to a group are known as group members.

 

Group Management

As with user management, group management can also be performed in several ways. The options below cover several of the most common ways to assign a new member to the Remote Desktop Users group:

  • Select the Users folder from the left pane of the Local Users and Groups interface, open the Users Properties window by double-clicking the user, select the “Member Of” tab, then click “Add…”. Now type “Remote Desktop Users” in the text box and click OK.
  • Select the Groups folder from the left pane of the Local Users and Groups interface, double-click the “Remote Desktop Users” group, click “Add…”, enter the user’s name in the text box and click OK.
  • Open the system settings by right-clicking the start menu and selecting “System”, choose “Advanced system settings”, select the “Remote” tab, click the “Select Users…” button then click the “Add” button. Now enter the user’s name in the text box and click OK.
  • Open the “Server Manager”, select “Local Server” from the left pane, click the blue text next to “Computer Name”, select the “Remote” tab, click the “Select Users…” button then click the “Add” button. Now enter the user’s name in the text box and click OK.
    Note
    When selecting users or groups, it is recommended to click the “Check Names” button after typing in the user or group name. If the name is underlined after clicking the “Check Names” button, then the name was identified correctly.

You can also use the “Advanced…” button when selecting users or groups instead of typing its name. Clicking the “Advanced…” button followed by the “Find Now” button will result in a list of users to select.In a windows server, by right-clicking the User folder you can do a variety of tasks like adding a new user.

 

Notes on Permissions & Security

By default, there are no members of the Remote Desktop Users group and only members of the Administrators group are allowed to connect through RDP. Members added to the Remote Desktop Users group are considered non-Administrative users. These users will be unable to perform most management tasks such as installing software, managing IIS, or rebooting the server.

If a user requires management abilities, the user will need explicit access to that task or will need to be a member of the Administrators. Please use the best practice of “least privilege” when configuring your users, groups, and permissions.

 

Test/Verify Group Membership

When configuring new user and group memberships, you should always review group membership once complete.  Reviewing group membership is most commonly performed through the Local Users and Groups interface. In addition to verifying membership, we also recommend attempting a remote desktop connection with your newest Remote Desktop Users group member. If you are unable to connect with your user, please see our Remote Desktop Troubleshooting article.

Once you have logged in with your newest member of the Remote Desktop Users group, you can further verify that groups are set up correctly by running the command “whoami /groups” from a command line. The output of this command lists the username and its associated Group names.

 

HIPAA Compliant Hosting Checklist

Reading Time: 5 minutes

HIPAA Compliance

In this guide, we outline the essential requirements for HIPAA compliant servers and how Liquid Web helps fulfill these necessities.

 

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, was passed by Congress to protect sensitive user information related to health insurance. This act helps to reduce health care fraud and mandates a standard for handling confidential healthcare information for consumers and businesses.

HIPAA compliance protects this sensitive information and specifies proper guidelines and standards for handling health insurance data. HIPAA also establishes rules for handling, administering, and maintaining electronic servers as well as the hosting of this Protected Health Information. Read more here.

Key Terms and Important Information:

  • HIPAA – Health Insurance Portability and Accountability Act of 1996
  • PHI – Protected Health Information
  • Access Control – To limit who can log in or access sensitive PHI data. Access control helps provide accountability for authorized usage and access to servers with confidential information. HIPAA requires that all users are uniquely identifiable and that the server hosting PHI data is only accessible to specifically authorized users and entities.
  • Audit Control – To log and record hardware, software and procedural work done to maintain and repair HIPAA compliant servers and data centers. HIPAA requires accurate and uniquely accountable logs for the type of work performed, what was accessed, and by whom. This notation is closely related to access control by limiting maintenance to authorized and uniquely identifiable persons or entities, but also refers explicitly to logging any maintenance of physical hardware or server software.  
  • Facility Access Control – To limit physical access to the data center from unauthorized or unaccountable persons. This control makes sure that only designated workers have access to physical servers containing PHI. Liquid Web’s data centers are HIPAA compliant and properly limit access to all servers.

 

To be HIPAA compliant, you must have firewalls in place. Most of the time, compliant hosting will implement hardware, software, and application level firewalls to protect the server from unauthorized users. This security applies to Access Control as well as Transmission Security, which protects PHI from unauthorized access.

HIPAA regulations state the firewalls must be system-wide. The firewall implementations are part of the requirements for limiting access to personal information stored on the server. Firewalls that are properly setup will limit or prevent accessibility from anyone who should not have access, often using explicit whitelists and blacklists. This setup prevents unauthorized employees, clients, or hackers logging into servers with sensitive data.

To be allowed through the firewall your users must have a uniquely identifiable username or identification that has been explicitly allowed access permission.  At Liquid Web, our networking team is at hand to secure your server with hardware firewalls, while our support team is ready to protect sensitive PHI data with software firewalls.

 

HIPAA compliance requires that remote access to the server through an encrypted VPN tunnel. This VPN protects data entering into the tunnel with an encrypted session that lasts only as long as the session exists. Work done between the remote workstation and the server is protected from interception via this encryption. At Liquid Web, our VPN services are automatically encrypted in order to protect your data.

 

Password management is an essential part of HIPAA compliance. Safeguarding passwords and isolating them to identifiable users is integral to the protection of sensitive data. Using multi-factor authentication is highly recommended for this process.

Multi-Factor Authentication forces users logging into the secured server system to use both a password and another form of authentication, such as a mobile device, verifying their identity for granting intended access. Authenticating makes it much more difficult for hackers and unauthorized users to use stolen or brute force-acquired login credentials to access the server, as the user will have to do a secondary verification from a device that is unique to them.

Many companies utilize Google Authenticator which allows your users to have a phone app to use as their secondary verification method. Multi-Factor Authentication falls under Access Control.

 

If you want to be HIPAA compliant, your server cannot be on shared hosting. You must have a server that cannot be accessed by any other business or entities, which means it needs to be private or dedicated to your business. This isolated includes requiring a private IP address that is not used by another entity.

By running on shared hosting, you are breaking HIPAA compliance by allowing non-authorized users access to the server. Hosting with Liquid Web gives you your own private, dedicated server strictly used by your business.

HIPAA requirements for limiting user access and having proper authentication. The server itself must also exist within a HIPAA compliant data center. Liquid Web has a high-security, HIPAA compliant data center that all of our clients are hosted within, falling under Facility Access Control.

 

An SSL certificate must protect any part of your website where sensitive information can be accessed.  An SSL provides end-to-end encryption for the accessed data and logins used, to further protect access to the server. HIPAA defines PHI as Protected Health Information and anywhere that a user can access PHI must be protected with SSL.

For more information about SSL and how it works, click here.

 

A BAA is necessary for HIPAA compliant hosting as it designates the role of the hosting company and defines responsibility for different parts of HIPAA compliance. It does not resolve your business of its HIPAA related duties, but it represents the roles that your business and the hosting company partake.

This Business Associate Agreement allows a hosting company the necessary access to servers to maintain them, while still preventing any other businesses’ unauthorized access to Protected Health Information.

See our HIPAA BAA policy here.

 

HIPAA compliance requires that all Protected Health Information must have an exact backup ready for restoration. These backups must also be located offsite and not on your server for recovery in the event of disaster or server malfunction. At Liquid Web we have two solutions for this, Guardian and DPM Backups.

By having an offsite backup, you are protecting the Protected Health Information and ensuring that no data loss will occur on restoration. Fully restoration is often achieved with continuous backups notating any changes of information on the server.

Read more about our different backup services here.

 

To be HIPAA compliant, the appropriate methods are necessary for getting rid of hardware. This disposal usually requires that the data be wiped entirely and destroyed in a manner that will not allow for restoration.

Data destruction is typically peer-reviewed and documented to state precisely the method of destruction. This process is to prevent any future use of the hardware from being able to recover sensitive PHI data.  Often called Integrity Control it ensures that data is properly altered or destroyed.

 

All logins and maintenance must be fully documented. Any repairs on the physical servers must be logged, especially those related to the security of the server and who logs in to servers for software maintenance and reviews and applies to Audit Control.

At Liquid Web, all of our work is logged and appropriately recorded with HIPAA compliant standards.

 

HIPAA compliance is an integral part of your business. While it can be confusing, our technicians at Liquid Web can ensure you that your Protected Health Information is appropriately handled and follows HIPAA compliant standards. While we have only reviewed a portion of the requirements of HIPAA compliance, feel free to reach out to our HIPAA Specialists for more information about how we handle our data centers and servers.

If you would like to speak with a HIPAA Specialist, start here.