Tuesday, November 29, 2011

Making your Apache Web Server more secure

I just wanted to post a few tips that you can use on your Apache 2.2 web server to help make your server a little more secure.  This isn't a list of every security measure you can take but, just a few tips.

One of the first things you should do to secure your Apache installation is to configure Apache file permissions.  This will help mitigate access to primary systems if someone is able to hack into your server through Apache. You can do this by performing the following steps (there are a few, fair warning):
  1. After Apache Web server has been installed open the "Computer Management" console by doing the following:
    1. Click on "Start"
    2. Go to "Administrative Tools"
    3. Click on "Computer Management"
  2. In the "Computer Management" window, expand the "Local Users and Groups" section.  Click on "Users" to see a list of the current users for your system.
  3. Right-click on "Users" and select the "New User" option.
  4. Enter the following information for the new user:
    1. User name
      1. apacheservice
    2. Password
      1. adminpw123 <put something secure here>
    3. Confirm Password
      1. adminpw123 <reminder, change this to something secure>
    4. Clear the "User must change password" check box
    5. Select the "User cannot change password" check box
    6. Select the "Password never expires" check box
  5. Click the "Create" button and then click "Close" to close the "New User" dialog.
  6. Right-click the "apacheservice" user you just created and select "Properties". Click the "Member Of" tab.
  7. Make sure the "apacheservice" user is a "Member Of" the "Users" group.  Click "Cancel" to close the properties window.
  8. Exit out of the "Computer Management" console.
  9. Open the "Services" console by doing the following:
    1. Click on "Start"
    2. Go to "Administrative Tools"
    3. Click on "Services"
  10. Right-click the "Apache2" service and select "Stop".
  11. Open Windows Explorer (not Internet Explorer) and navigate to the following:
    1. C:\Program Files\Apache Software Foundation\Apache2.2
  12. Right-click the "Apache2.2" folder, select "Properties" and then select the "Security" tab.
  13. Make sure that only READ and EXECUTE permissions are granted to the Users group.
  14. No changes should be necessary so just click "Cancel".
  15. Using Windows Explorer, review the permissions for the following:
    1. C:\Program Files\Apache Software Foundation\Apache2.2\logs
  16. Now, we do want to change permissions on the "logs" directory.  To do that do the following:
    1. In the logs Properties dialog's Security tab, click the "Advanced" button.
    2. Clear the "Allow inheritable permissions from the parent" check box.
    3. Click "Remove" in the security window.
    4. Select the "Replace permissions on all child objects" check box and click the "Add" button.
    5. In the "Enter the object name to select" field, type the username "administrator" and click OK.
    6. Under "Allow", select the check box for "Full Control" and click OK.
    7. Click the "Add" button again and in the "Enter the object name to select" field, type the username "apacheservice" and click OK.
    8. Select the following check boxes under Allow:
      1. List Folder/Read Data
      2. Read Attributes
      3. Read Extended Attributes
      4. Create Files/Write Data
      5. Create Folder/Append Data
      6. Write Attributes
      7. Write Extended Attributes
      8. Read Permissions
    9. Click OK when done.
  17. Click OK to close the "Advanced Security Settings" window and again, click OK when asked to continue.
  18. If you check permissions for the "apacheservice" user in the logs Properties dialog's Security tab, you will find we should now have read / write access only.
  19. Click OK to exit out of the logs Properties window.
  20. Now view the security permissions of your web root.  By default, this is the "htdocs" folder found under your Apache2.2 installation.
  21. Click the "Advanced" button under the "Security" tab.
  22. In the "Advanced Security Settings" dialog, clear the "Allow inheritable permissions from the parent" check box.
  23. Click "Copy" in the security window.
  24. Click the OK button to dismiss the Advanced Security Settings.
  25. Select the "Users" group and click Remove.
  26. Select the "SYSTEM" group and click Remove.
  27. Click the Add button and in the "Enter the object name to select" field type the username "apacheservice" and click OK.
  28. In the "Permissions for apacheservice" section, change the permission to Allow Read and Deny Write. Clear any other check box that may be selected.
  29. Click OK to close "WebRootFolder Properties" and click Yes when asked to continue.
    1. Those last steps will ensure that the "apacheservice" user will only ever be able to read, never write, to the root Web document folder.
  30. Switch back to the Services console, or open it again by select Start -> Administrative Tools -> Services.
  31. Right-click the "Apache2" service and select "Properties".
  32. In the properties window, select the "Log On" tab and perform the following steps:
    1. Select the "This account" radio button and type the user name "apacheservice".
    2. Enter the password and confirm the password for the account.
    3. Click the "Apply" button.
      1. You should see a message indicating the account has been granted the "Log On As A Service" right.  This is fine, click OK to dismiss.
    4. Click OK to close the Apache2 properties window.
    5. Right-click the "Apache2" service in the Services console and select "Start".
      1. If you see an error when restarting Apache, then there is a problem with the permissions of the apacheservice user.  Verify your steps by checking permissions (see the instructions leading up to this step).
  33. The last step is simple... When the server comes back up just surf to the URL and ensure it is working.

Now, lets add a few tweaks to our server config file. In the "httpd.conf" file that is located in the "conf" directory of your server you can add the following:
#
# Controls who can get stuff from this server.
#
<Limit GET HEAD POST>
    order deny,allow
    allow from {%}
    deny from all
</Limit>
This configuration is added under your <Directory> for your document root. Replace the {%} token above with any IP address or IP block.  For example you can use the site County IP Blocks to generate a block of IP addresses only from a particular country (such as the USA).  Anyone coming from an IP address not in your block would be denied access.  Or you can do the following...
allow from 127.0.0.1
...to ensure only local access to the Web server.
#
# Limit to POST and GET commands only.
#
<LimitExcept POST GET>
    Require valid-user
</LimitExcept>
This should also be added under your <Directory> root. This configuration will prevent other un-secure commands from being accessed by a user.  POST and GET are really all you should be allowing on your Web server anyway.
#
# Hide server details from the HTTP response header
#
ServerSignature off
ServerTokens prod
This configuration (added at the end of your conf file) hides detailed server information from your HTTP response headers (such as Apache version) from potential attackers.  Attackers use information like that to coordinate attacks on your server.

And, of course you should always follow the security tips provided by Apache.  Those can be located here:

http://httpd.apache.org/docs/2.2/misc/security_tips.html

I hope some of these tips can help you to make sure your Web Server is more secure.  I will likely post more in the future and will also try to include application servers (Tomcat) and even IIS.

Tuesday, November 1, 2011

Dish Network Customer Service Complaint

I wanted to share this email which I have sent to the executivecustomerservice@DishNetwork.com.  It details a horrible customer service (if that is what you call it) experience my wife and I shared in our attempt to cancel service with Dish Network.  I am still waiting for a reply.

To whom it may concern -

My wife and I had a very distasteful experience with what is being called Customer Service at Dish Network.  This began when my wife contacted your Customer Service staff on Wednesday, October 19th, 2011 between 8:00am and 8:30am.  She was informed that our contract with you ended on December 4th, 2011 which was 45 days from the date she called.  The lady she spoke with informed her that it would be a $10.00 fee if we broke contract early between the time of the phone call and before December 5th.

We discussed it and made the decision to break contract early.  This was simply for economic reasons and we had actually intended on re-evaluating in 3 to 6 months.  If at that time we were capable, we planned on entertaining the idea of reconnecting with Dish since we had had nothing but good experiences with the company.

However, upon contacting Customer Service on Sunday, October 30th, 2011 we were told that the amount was actually $10.00 if within one month of cancellation.  If two months, it was actually $30.00.  And, conveniently enough your staff did not document in their call logs about our prior call in.  My wife asked to speak with a manager at this point, as the representative was not willing to deduct $20.00 from the cancellation fee.

This manager informed my wife that the pricing was actually $15.00 for one month and $30.00 for two.  So at this point, we had received our third set of amounts.  My wife again was told that the pricing couldn't be adjusted to honor the first amount we had been told.  At this point she again escalated to the next tier of support. Another manager.

This manager informed her that the amount is prorated $15 for each month of contract time you have left.  So again, $15.00 for the first month and $30 for the second.  At this point I got on the phone and expressed my disgust at how your company was handling our desire to cancel.  Even though we only had less than 4 days before we were inside the one month window (which your team didn't even suggest us wait for 4 days), your management and service staff was unwilling to budge on a mere $20.00 fee.

And to make matters worse, I was told that I would have to pay for shipping the equipment back.  And that this was an additional $15.00 fee if we use your label that is shipped with the return kit.  Again, it wasn't even suggested to us that maybe one of your Dish installers could swing by and just pick the equipment up should they be out in this area.  Or that I could drop the equipment off myself at one of your  locations.

So, you all seem to be perfectly content with throwing away 2 years of customer loyalty because of a grand total of $35 ($20 cancellation and $15 shipping).  I even warned the last manager I spoke with that if she did not help us I would never be willing to return to Dish.  If my wife and I decided to again go with a satellite or cable provider we will certainly not chose Dish Network.  I also warned her that I would warn anyone in the future not to trust your company.  Simply because of this incident.  To be honest, I am completely disgusted at how you all have treated not only myself and my wife.

If you want redeem yourselves, even in the littlest bit, I would highly recommend that you review this complaint and help to accommodate my wife and I.  Beyond that, I would expect that you inform your call centers and customer service staff that the philosophy of not honoring what you tell your customer is unacceptable.